Skip to content

ci: fix Dependabot NuGet PRs failing locked-mode restore (NU1004)#67

Merged
st0o0 merged 2 commits into
mainfrom
fix/deps-akka-1.5.70-lockfiles
Jul 5, 2026
Merged

ci: fix Dependabot NuGet PRs failing locked-mode restore (NU1004)#67
st0o0 merged 2 commits into
mainfrom
fix/deps-akka-1.5.70-lockfiles

Conversation

@st0o0

@st0o0 st0o0 commented Jul 5, 2026

Copy link
Copy Markdown
Member

Problem

Every Dependabot NuGet PR that touches src/GaudiHTTP/packages.lock.json fails CI with:

error NU1004: A new project reference to Servus.Akka was found for net10.0 ... The packages lock file is inconsistent with the project dependencies

Dependabot's NuGet updater runs in a sandbox that never initializes git submodules, so
lib/servus.akka is empty when it regenerates the lock file. The servus.akka project
entry silently drops out of packages.lock.json, and CI — which checks out with
submodules and restores in locked mode — rejects it. Latest occurrence: #62.

Changes

  1. deps: Akka 1.5.68 → 1.5.70 with a correctly regenerated lock file — the same
    version bumps as deps: Bump Akka.Hosting, Akka.Streams.TestKit and Akka.TestKit.Xunit #62 (Akka.Hosting, Akka.Streams, Akka.Streams.TestKit,
    Akka.TestKit.Xunit), but the lock file was regenerated via
    dotnet restore --force-evaluate with the submodule present, keeping the
    servus.akka project entry intact. Supersedes deps: Bump Akka.Hosting, Akka.Streams.TestKit and Akka.TestKit.Xunit #62.

  2. ci: new dependabot-lockfile-fix.yml workflow — prevents recurrence. On
    Dependabot PRs it checks out the PR branch with submodules, regenerates the lock
    files, and pushes the correction back to the PR branch.

    • Trigger scoped to NuGet manifests (Directory.Packages.props,
      packages.lock.json, *.csproj) — github-actions ecosystem bumps don't run it.
    • Uses pull_request_target (write token), strictly gated to dependabot[bot]
      on same-repo branches.

Verified

  • dotnet restore GaudiHTTP.slnx (locked mode) passes locally with the regenerated lock file
  • dotnet build --configuration Release passes (0 errors)

Follow-up

  • Commits pushed with the default GITHUB_TOKEN don't retrigger "Build & Test".
    Add a DEPENDABOT_LOCKFILE_TOKEN secret (PAT with contents: write) so CI runs
    automatically on the fixed commit; without it, close/reopen the PR to retrigger.
  • Close deps: Bump Akka.Hosting, Akka.Streams.TestKit and Akka.TestKit.Xunit #62 after merge (Dependabot should also auto-close it once the versions land).
  • Once the Servus.Akka submodule ProjectReference is replaced by the
    PackageReference (as planned in GaudiHTTP.csproj), this workflow becomes
    redundant and can be deleted.

@st0o0
st0o0 merged commit 60d7257 into main Jul 5, 2026
3 checks passed
@st0o0
st0o0 deleted the fix/deps-akka-1.5.70-lockfiles branch July 5, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant