Update NuGet dependencies to latest and switch to trusted publishing#3
Merged
Merged
Conversation
Bump all package references to their latest stable versions, leaving the intentionally capped NextIteration.SpectreConsole.Auth range untouched: - Microsoft.Extensions.* 10.0.5 -> 10.0.9 - Spectre.Console 0.55.2 -> 0.56.0 - Microsoft.SourceLink.GitHub 8.0.0 -> 10.0.300 - Microsoft.NET.Test.Sdk 17.11.1 -> 18.6.0 - xunit 2.9.2 -> 2.9.3 - xunit.runner.visualstudio 2.8.2 -> 3.1.5 - coverlet.collector 6.0.2 -> 10.0.1 Switch the publish job to NuGet trusted publishing (OIDC): grant the job id-token: write, exchange the GitHub OIDC token for a short-lived API key via NuGet/login@v1 immediately before push, and drop the long-lived NUGET_API_KEY secret in favour of a NUGET_USER profile name. Update RELEASING.md prerequisites accordingly. Build clean (0 warnings) and all 59 tests pass.
Adobe 0.2.2 -> 0.2.3, Airtable 0.2.2 -> 0.2.3, SoftwareOne 0.3.2 -> 0.3.3. Patch release covering the dependency refresh and the switch to trusted publishing. No public API or behaviour changes. CHANGELOG updated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two maintenance changes requested together:
1. Bump NuGet dependencies to latest stable
All package references updated to their latest non-prerelease versions. The intentionally capped
NextIteration.SpectreConsole.Authrange ([0.6.1,1.0.0)) is left untouched.Build is clean (0 warnings, with
TreatWarningsAsErrors) and all 59 tests pass.dotnet packstill produces both.nupkgand.snupkg.2. Switch publishing to NuGet trusted publishing (OIDC)
The
publishjob no longer relies on a long-livedNUGET_API_KEYsecret. Instead it:id-token: write(pluscontents: read),NuGet/login@v1immediately before push to exchange the GitHub OIDC token for a short-lived (1-hour) nuget.org API key,dotnet nuget push.RELEASING.mdprerequisites are updated to match.This won't publish until the nuget.org side is configured:
StuartMeeks, RepositoryNextIteration.SpectreConsole.Auth.Providers, Workflow Fileci.yml. The policy owner must own all three provider packages. (Private-repo policies are provisionally active for 7 days until the first successful publish locks them in.)NUGET_USERrepo secret = your nuget.org profile name (username, not email).NUGET_API_KEYsecret can be deleted once this merges.Test plan
dotnet build -c Release— 0 warnings/errorsdotnet test -c Release— 59/59 passingdotnet pack—.nupkg+.snupkgproducedci.ymlvalidates as YAMLNUGET_USERare set up