ci: fix Dependabot NuGet PRs failing locked-mode restore (NU1004)#67
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every Dependabot NuGet PR that touches
src/GaudiHTTP/packages.lock.jsonfails CI with:Dependabot's NuGet updater runs in a sandbox that never initializes git submodules, so
lib/servus.akkais empty when it regenerates the lock file. Theservus.akkaprojectentry silently drops out of
packages.lock.json, and CI — which checks out withsubmodules and restores in locked mode — rejects it. Latest occurrence: #62.
Changes
deps:Akka 1.5.68 → 1.5.70 with a correctly regenerated lock file — the sameversion bumps as deps: Bump Akka.Hosting, Akka.Streams.TestKit and Akka.TestKit.Xunit #62 (Akka.Hosting, Akka.Streams, Akka.Streams.TestKit,
Akka.TestKit.Xunit), but the lock file was regenerated via
dotnet restore --force-evaluatewith the submodule present, keeping theservus.akkaproject entry intact. Supersedes deps: Bump Akka.Hosting, Akka.Streams.TestKit and Akka.TestKit.Xunit #62.ci:newdependabot-lockfile-fix.ymlworkflow — prevents recurrence. OnDependabot PRs it checks out the PR branch with submodules, regenerates the lock
files, and pushes the correction back to the PR branch.
Directory.Packages.props,packages.lock.json,*.csproj) —github-actionsecosystem bumps don't run it.pull_request_target(write token), strictly gated todependabot[bot]on same-repo branches.
Verified
dotnet restore GaudiHTTP.slnx(locked mode) passes locally with the regenerated lock filedotnet build --configuration Releasepasses (0 errors)Follow-up
GITHUB_TOKENdon't retrigger "Build & Test".Add a
DEPENDABOT_LOCKFILE_TOKENsecret (PAT withcontents: write) so CI runsautomatically on the fixed commit; without it, close/reopen the PR to retrigger.
Servus.AkkasubmoduleProjectReferenceis replaced by thePackageReference(as planned inGaudiHTTP.csproj), this workflow becomesredundant and can be deleted.