fix: resolve SonarCloud issues in build, new-cli, and CI workflows#4989
Merged
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S1118: make Arguments/Paths/Tools static utility classes; add protected ctor to EnvVars (it is subclassed, so it cannot be static) - S2325: make BuildLifetimeBase.LogBuildInformation static - S112: throw NotSupportedException instead of bare Exception (UnitTest) - S6570: quote $VERSION in Dockerfile 'dotnet tool install' Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S8642: lowercase 'param' keyword - S8637: rename reserved parameter $WhatIf -> $DryRun, keeping WhatIf as an alias so the '-WhatIf' CLI flag (and -Noop/-DryRun) still work unchanged Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S1125: simplify 'ForcePublish is false' to '!ForcePublish' (PublishDocs) - S2589: drop redundant null-conditional on entryAssembly (Default; non-null past the tasks guard) using null-forgiving access - S3887/S2386: expose Tools.Versions as IReadOnlyDictionary - S3887: expose BuildContext.NativeRuntimes as IReadOnlyDictionary Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extract argument-building groups into focused helpers (output, auth, assembly-info, repository, verbosity) and use guard clauses to flatten nesting. Stateless helpers are static. Behavior is unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The NuGet OIDC publish flow threw bare System.Exception on token/API-key failures; use InvalidOperationException for the failure paths. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S927: rename params to match base/interface (propFactory->propertyFactory
in LoggingEnricher; type->symbol in TypeVisitor.VisitNamedType)
- S6678: PascalCase log placeholders {logFile}/{workDir} -> {LogFile}/{WorkDir}
- S1125: '.Any() == true' -> '.Any() is true' (CommandBaseGenerator)
- S3878: pass single alias directly (params) instead of array literal
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…(S2629) Convert interpolated $"..." log messages to structured message templates with PascalCase named placeholders across the config/normalize/output commands (9 occurrences). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S7630 (BLOCKER): avoid script injection by passing inputs (dotnet_version,
docker_distro, arch) via env: and referencing $env:VAR in pwsh run steps,
instead of interpolating ${{ inputs.* }} directly into the shell
- S6573: quote the '**/AddFormats/' glob in the format workflow
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reduce workflow-level permissions to 'contents: read' and grant write scopes only on the jobs that need them, matching what each reusable workflow already declares: - unit_test: id-token: write (coverage OIDC) - docker_linux_images / docker_linux_manifests: packages: write - publish: id-token + packages: write - release already declares its own job-level permissions Read-only jobs (prepare, build, artifacts tests) no longer receive package/id-token/attestation write, shrinking the supply-chain blast radius. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
|
Thank you @arturcic for your contribution! |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves a batch of SonarCloud findings across the build, new-cli, and CI (.github) areas. Code fixes here; false-positives / won't-fix dispositions were applied on SonarCloud directly.
Code fixes
.github(CI security)docker-publish/docker-manifestscomposite actions by passinginputs.*(dotnet_version,docker_distro,arch) viaenv:and referencing$env:VARin the pwshrun:steps instead of interpolating${{ inputs.* }}into the shell.GITHUB_TOKENto least privilege: workflow-level dropped tocontents: read; write scopes granted only on the jobs that need them (unit_test→id-token;docker_*→packages;publish→id-token+packages), matching each reusable workflow's own declarations.releasealready declared its own.**/AddFormats/glob informat.yml.build
staticutility classes (Arguments/Paths/Tools); protected ctor for the subclassedEnvVars.LogBuildInformationmade static.InvalidOperationExceptioninstead of bareException(UnitTest, NuGet publish flow).$VERSIONin the Dockerfile.IReadOnlyDictionaryfor public collections).GitVersionRunner.GetArgumentscognitive complexity via extracted helpers.build.ps1: lowercaseparam; renamed reserved$WhatIf→$DryRun(keptWhatIf/Noopaliases, so the CLI is unchanged).new-cli
propertyFactory,symbol).== true→is true.Verification
dotnet buildofsrc/new-cli/buildsolutions: 0 errors / 0 warnings.dotnet format --verify-no-changesclean.🤖 Generated with Claude Code