From e18aee46559742e50fe48da6e5fb7b9353f01cf9 Mon Sep 17 00:00:00 2001
From: SebastienDegodez <sebastien.degodez@gmail.com>
Date: Sat, 5 Jul 2025 17:20:17 +0200
Subject: [PATCH 1/4] chore(deps): clean up dependabot.yml formatting and
 comments

Signed-off-by: SebastienDegodez <sebastien.degodez@gmail.com>
---
 .github/dependabot.yml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6ada163..7168911 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,16 +1,18 @@
 version: 2
 updates:
-  - package-ecosystem: "nuget"
-    directory: "/"
+  - package-ecosystem: nuget
+    directory: /
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: weekly
+      day: sunday
     open-pull-requests-limit: 3
     rebase-strategy: disabled
-  - package-ecosystem: "github-actions"
-    directory: "/"
+      
+# Github Actions updates
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: weekly
+      day: sunday
     open-pull-requests-limit: 3
     rebase-strategy: disabled

From d7a70cbd744dd26cc05691d8bb6e1a50793e624f Mon Sep 17 00:00:00 2001
From: Laurent Broudoux <laurent.broudoux@gmail.com>
Date: Thu, 17 Jul 2025 16:05:14 +0200
Subject: [PATCH 2/4] chore(ci): #97 Specify the most restrictive permissions

Signed-off-by: Laurent Broudoux <laurent.broudoux@gmail.com>
---
 .github/workflows/cicd.yml                        | 2 ++
 .github/workflows/steps.dotnet-build-test.yml     | 2 ++
 .github/workflows/steps.dotnet-nuget-publish.yml  | 2 ++
 .github/workflows/steps.dotnet-version.yml        | 2 ++
 .github/workflows/steps.github-release-draft.yml  | 3 +++
 .github/workflows/steps.publish-test-reporter.yml | 4 ++++
 6 files changed, 15 insertions(+)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 8d25603..319363c 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -24,6 +24,8 @@ permissions: read-all
 jobs:
   version:
     name: Define Version
+    permissions:
+      contents: read
     uses: ./.github/workflows/steps.dotnet-version.yml
     with:
       runs-on: ubuntu-latest
diff --git a/.github/workflows/steps.dotnet-build-test.yml b/.github/workflows/steps.dotnet-build-test.yml
index 66f3d1a..faae090 100644
--- a/.github/workflows/steps.dotnet-build-test.yml
+++ b/.github/workflows/steps.dotnet-build-test.yml
@@ -23,6 +23,8 @@
       publish-package:
         description: 'Publish package is enabled ?'
         value: ${{ jobs.build_test.outputs.publish-package }}
+permissions: read-all
+
 jobs:
   build_test:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/steps.dotnet-nuget-publish.yml b/.github/workflows/steps.dotnet-nuget-publish.yml
index 6ad0af8..f3231d5 100644
--- a/.github/workflows/steps.dotnet-nuget-publish.yml
+++ b/.github/workflows/steps.dotnet-nuget-publish.yml
@@ -8,6 +8,8 @@ on:
     secrets:
       NUGET_KEY:
         required: true
+permissions: read-all
+
 jobs:
   nuget-publish:
     if: ${{ github.event_name != 'pull_request' && github.repository == 'microcks/microcks-testcontainers-dotnet' }}
diff --git a/.github/workflows/steps.dotnet-version.yml b/.github/workflows/steps.dotnet-version.yml
index 60fb37e..e83df37 100644
--- a/.github/workflows/steps.dotnet-version.yml
+++ b/.github/workflows/steps.dotnet-version.yml
@@ -15,6 +15,8 @@
       majorMinorPatch:
         description: 'majorMinorPatch (gitversion)'
         value: ${{ jobs.define_version.outputs.majorMinorPatch }}
+permissions: read-all
+
 jobs:
   define_version:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/steps.github-release-draft.yml b/.github/workflows/steps.github-release-draft.yml
index 79df02f..07ce102 100644
--- a/.github/workflows/steps.github-release-draft.yml
+++ b/.github/workflows/steps.github-release-draft.yml
@@ -12,6 +12,9 @@
 jobs:
   release_drafter:
     if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+    permissions:
+      contents: write
+      deployments: write
     runs-on: ${{ inputs.runs-on }}
     steps:
     - name: 🔄 Checkout
diff --git a/.github/workflows/steps.publish-test-reporter.yml b/.github/workflows/steps.publish-test-reporter.yml
index 76802b9..b291f24 100644
--- a/.github/workflows/steps.publish-test-reporter.yml
+++ b/.github/workflows/steps.publish-test-reporter.yml
@@ -5,6 +5,10 @@
         required: false
         type: string
         default: 'ubuntu-latest'
+permissions:
+  contents: read
+  actions: read
+  checks: write
 
 jobs:
   report:

From 60e5e237bfcd45a04c9df90b114ff9e3ecd063d7 Mon Sep 17 00:00:00 2001
From: SebastienDegodez <sebastien.degodez@gmail.com>
Date: Mon, 21 Jul 2025 00:39:27 +0200
Subject: [PATCH 3/4] chore(deps): update dependabot.yml for dotnet-sdk and
 nuget packages

Signed-off-by: SebastienDegodez <sebastien.degodez@gmail.com>
---
 .github/dependabot.yml | 48 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7168911..fdce902 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,13 +1,57 @@
 version: 2
 updates:
-  - package-ecosystem: nuget
+  #  https://devblogs.microsoft.com/dotnet/using-dependabot-to-manage-dotnet-sdk-updates/
+  - package-ecosystem: "dotnet-sdk"
     directory: /
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+    open-pull-requests-limit: 1
+
+  # NuGet package updates for SRC
+  - package-ecosystem: nuget
+    directory: /src
+    schedule:
+      interval: weekly
+      day: sunday
+    open-pull-requests-limit: 3
+    rebase-strategy: disabled
+    groups:
+      microsoft-sbom:
+        patterns: ['Microsoft.Sbom.*']
+      testcontainers:
+        patterns: ['Testcontainers*']
+      # Grouping for .NET packages (Monorepo)
+      microsoft:
+        patterns: [Microsoft.*, System.*]
+      all-dependencies:
+        patterns: ['*']
+
+  # NuGet package updates for TESTS
+  - package-ecosystem: nuget
+    directory: /tests
     schedule:
       interval: weekly
       day: sunday
     open-pull-requests-limit: 3
     rebase-strategy: disabled
-      
+    groups:
+      test-dependencies:
+        patterns: ['coverlet.collector', 'Microsoft.NET.Test.Sdk']
+      xunit:
+        patterns: [xunit.*]
+      # Grouping for Testcontainers
+      testcontainers:
+        patterns: ['Testcontainers*']
+      kafka:
+        patterns: ['Confluent.Kafka']
+      rabbitmq:
+        patterns: ['RabbitMQ.Client']
+      restassured:
+        patterns: ['RestAssured.Net']
+      all-dependencies:
+        patterns: ['*']
+
 # Github Actions updates
   - package-ecosystem: github-actions
     directory: /

From 8852baefeeb49bf2c29d03fbbf08cc756758dc0d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 20 Jul 2025 22:40:12 +0000
Subject: [PATCH 4/4] chore(deps): bump dotnet-sdk from 8.0.200 to 9.0.303

Bumps [dotnet-sdk](https://github.com/dotnet/sdk) from 8.0.200 to 9.0.303.
- [Release notes](https://github.com/dotnet/sdk/releases)
- [Commits](https://github.com/dotnet/sdk/compare/v8.0.200...v9.0.303)

---
updated-dependencies:
- dependency-name: dotnet-sdk
  dependency-version: 9.0.303
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 global.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/global.json b/global.json
index 39c53b8..040dbd0 100644
--- a/global.json
+++ b/global.json
@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.200",
+    "version": "9.0.303",
     "rollForward": "latestMinor"
   }
 }