chore: bump deps to latest stable + NuGet trusted publishing#65
Merged
Conversation
Update centrally-managed package versions to latest stable (CPM was already in place): - Microsoft.Data.Sqlite 10.0.8 -> 10.0.9 - Microsoft.Extensions.DependencyInjection 10.0.8 -> 10.0.9 - Microsoft.WindowsAppSDK 2.1.3 -> 2.2.0 - Velopack 1.1.1 -> 1.2.0 Spectre.Console is deliberately held at 0.55.0: a 0.56.0 exists but Spectre.Console.Cli has not shipped one, and the pair must move together. All other packages were already at their latest stable. Switch the importer's NuGet.org push to Trusted Publishing: the release job now exchanges its GitHub OIDC token for a short-lived API key via NuGet/login@v1 (id-token: write) instead of the long-lived NUGET_API_KEY secret. Requires a trusted publishing policy on nuget.org plus a NUGET_USER secret (nuget.org profile username). Verified: full restore + Core/Execution/Importer tests pass on Linux, and the WinUI App compiles clean (0 warnings) on the Windows build host with the bumped WindowsAppSDK/Velopack. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Spectre.Console.Cli has no 0.56.0 yet, so it stays at 0.55.0 (its latest stable) while Spectre.Console moves forward; realign when Cli catches up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The App csproj referenced win-$(Platform).pubxml, but no such profile exists in the repo — publishes are driven entirely by CLI args. The dangling reference only produced NETSDK1198 on every publish. Removing it silences the warning with no behavioural change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bump version.json to 1.0.4 and promote the CHANGELOG: dependency refresh (Windows App SDK 2.2.0, Velopack 1.2.0) and the move to NuGet trusted publishing for the snipdeck-importer tool. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Covers the three requested items.
1. Centralised Package Management
Already in place (committed in
bdea4e4):Directory.Packages.propswithManagePackageVersionsCentrally=trueand every csproj using versionlessPackageReference. No change needed.2. Package updates (latest stable, intentional pins respected)
Bumped the four packages that had a newer stable release:
All other packages were already at their latest stable.
Deliberate hold:
Spectre.Consolestays at 0.55.0. A 0.56.0 exists, butSpectre.Console.Clihas not shipped a matching release and the pair must move in lockstep. Recorded as a comment inDirectory.Packages.propsso it isn't "fixed" by mistake.3. NuGet Trusted Publishing
The importer's NuGet.org push now uses OIDC trusted publishing instead of the long-lived
NUGET_API_KEYsecret:id-token: writeto the release workflow permissions.NuGet/login@v1step (run immediately before the push) exchanges the GitHub OIDC token for a short-lived API key.dotnet nuget pushconsumes that temporary key.Required before the next release (manual, on nuget.org)
StuartMeeks, repoSnipdeck, workflow filerelease.yml.NUGET_USERrepo secret = your nuget.org profile username (not email).NUGET_API_KEYsecret can be removed once the first trusted-publish succeeds.Verification
Snipdeck.Appcompiles clean — 0 warnings (TreatWarningsAsErrors on), 0 errors — with WindowsAppSDK 2.2.0 + Velopack 1.2.0.🤖 Generated with Claude Code