Skip to content

build: lock NuGet dependencies and pin the SDK via global.json#11

Merged
msallin merged 1 commit into
mainfrom
claude/adoring-dewdney-b8adaa
Jun 15, 2026
Merged

build: lock NuGet dependencies and pin the SDK via global.json#11
msallin merged 1 commit into
mainfrom
claude/adoring-dewdney-b8adaa

Conversation

@msallin

@msallin msallin commented Jun 15, 2026

Copy link
Copy Markdown
Owner

What

Make restores reproducible and keep the toolchain current automatically.

  • Lock NuGet packages. Enable RestorePackagesWithLockFile in Directory.Build.props, generating a committed packages.lock.json for every project. This pins the full transitive graph, including the floating Hangfire 1.8.* references.
  • Enforce the lock in CI/CD. Both workflows restore with --locked-mode, which fails the build if any lock file is missing or out of date.
  • Pin the SDK in global.json (10.0.300, rollForward: latestMinor) and install it via setup-dotnet's global-json-file instead of a floating 10.0.x. NuGet is cached keyed on the committed lock files (cache-dependency-path: '**/packages.lock.json').
  • Auto-update global.json. Add the dotnet-sdk Dependabot ecosystem so the pinned SDK version is bumped automatically. The existing nuget ecosystem already refreshes the new lock files.

Why

10.0.x SDK and floating package versions made builds non-deterministic across machines and over time. Lock files + a pinned SDK give reproducible restores; Dependabot keeps both current without manual edits.

Reviewer notes

  • rollForward: latestMinor keeps CI on the exact pinned patch (installed by setup-dotnet) while letting local contributors build with any newer .NET 10 SDK they have.
  • Regenerating lock files after a PackageReference change is a plain dotnet restore, then commit the updated packages.lock.json files (documented in Directory.Build.props).
  • The pre-existing NuGetAuditSuppress (transitive Newtonsoft.Json advisory) still applies; audit stays active for everything else.
  • Verified locally: dotnet restore --locked-mode + dotnet build -c Release --no-restore → 0 warnings, 0 errors.

Enable RestorePackagesWithLockFile so every project gets a committed
packages.lock.json, pinning the full transitive graph (including the
floating Hangfire 1.8.* references). Both workflows now restore with
--locked-mode, so a missing or out-of-date lock fails the build and
restores become reproducible.

Pin the SDK in global.json (10.0.300, rollForward latestMinor) and install
it in CI/CD via setup-dotnet's global-json-file instead of a floating
10.0.x, and cache NuGet keyed on the committed lock files.

Add the dotnet-sdk Dependabot ecosystem so the global.json SDK version is
kept current automatically; the existing nuget ecosystem already updates
the new lock files.
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The PR introduces deterministic NuGet package restoration by pinning the .NET SDK to version 10.0.300 in global.json, enabling RestorePackagesWithLockFile in Directory.Build.props, enforcing --locked-mode restores in CI and CD workflows, adding a Dependabot entry for the SDK, and committing the generated packages.lock.json files for all projects.

Changes

Reproducible NuGet restore and SDK pinning

Layer / File(s) Summary
SDK pin and MSBuild lock file config
global.json, Directory.Build.props
global.json sets the SDK to 10.0.300 with rollForward: latestMinor. Directory.Build.props adds RestorePackagesWithLockFile=true with documentation comments describing the regeneration workflow.
CI/CD workflow and Dependabot updates
.github/workflows/ci.yml, .github/workflows/cd.yaml, .github/dependabot.yml
CI and CD workflows switch actions/setup-dotnet to read from global.json, enable NuGet cache keyed on packages.lock.json, and run dotnet restore --locked-mode. Dependabot gains a dotnet-sdk entry for weekly SDK bump PRs.
Generated packages.lock.json files
src/Hangfire.Raft/packages.lock.json, tests/Hangfire.Raft.Tests/packages.lock.json, samples/*/packages.lock.json
Adds committed lock files for the main library, tests, and both sample projects, pinning resolved direct and transitive NuGet dependencies under the net10.0 target.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hoppity-hop, the versions are locked,
No drifting deps shall leave us shocked.
global.json now knows the score—
10.0.300, not a patch more!
Lock files committed, CI stands guard,
Reproducible builds—that's not too hard! 🔒

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main changes: locking NuGet dependencies and pinning the SDK via global.json, which are the core objectives of this PR.
Description check ✅ Passed The description is highly detailed and directly related to the changeset, explaining the what, why, and how of each modification across all affected files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/adoring-dewdney-b8adaa

Comment @coderabbitai help to get the list of available commands and usage tips.

@msallin
msallin merged commit cc6dced into main Jun 15, 2026
2 of 3 checks passed
@msallin
msallin deleted the claude/adoring-dewdney-b8adaa branch June 15, 2026 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant