address PR review feedback

- Remove unused experimentsManager variable (TreatWarningsAsErrors)
- Normalize branch ref to avoid double-prefixing refs/heads/
- Hash long directory names in correlator (matching Ruby's 32-byte threshold)
- Use string.IsNullOrWhiteSpace for DEPENDABOT_VERSION fallback
- Guard nuget/script/run against missing/empty version file

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: brettfo

nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Graph/GraphWorker.cs

@@ -1,3 +1,6 @@
+using System.Security.Cryptography;
+using System.Text;
+
 using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Run;
 using NuGetUpdater.Core.Run.ApiModel;
@@ -27,7 +30,6 @@ public async Task<int> RunAsync(FileInfo jobFilePath, DirectoryInfo repoContents
         var jobFileContent = await File.ReadAllTextAsync(jobFilePath.FullName);
         var jobWrapper = RunWorker.Deserialize(jobFileContent);
         var job = jobWrapper.Job;
-        var experimentsManager = ExperimentsManager.GetExperimentsManager(job.Experiments);
 
         // Use the case-insensitive repo contents path if provided, otherwise use the original
         var actualRepoContentsPath = caseInsensitiveRepoContentsPath ?? repoContentsPath;
@@ -190,10 +192,10 @@ internal CreateDependencySubmission BuildDependencySubmission(
         {
             Version = 1,
             Sha = baseCommitSha,
-            Ref = $"refs/heads/{job.Source.Branch ?? "main"}",
+            Ref = GetSymbolicRef(job.Source.Branch),
             Job = new CreateDependencySubmission.SubmissionJob
             {
-                Correlator = $"dependabot-nuget-{directory.Replace("/", "-").TrimStart('-')}",
+                Correlator = GetCorrelator(directory),
                 Id = _jobId
             },
             Detector = new CreateDependencySubmission.SubmissionDetector
@@ -212,9 +214,36 @@ internal CreateDependencySubmission BuildDependencySubmission(
         };
     }
 
+    internal static string GetSymbolicRef(string? branch)
+    {
+        branch = (branch ?? "main").TrimStart('/');
+        if (branch.StartsWith("refs/", StringComparison.OrdinalIgnoreCase))
+        {
+            return branch;
+        }
+
+        return $"refs/heads/{branch}";
+    }
+
+    internal static string GetCorrelator(string directory)
+    {
+        var sanitized = directory.TrimStart('/').Replace("/", "-").TrimStart('-');
+        if (Encoding.UTF8.GetByteCount(sanitized) > 32)
+        {
+            sanitized = Convert.ToHexStringLower(SHA256.HashData(Encoding.UTF8.GetBytes(sanitized)));
+        }
+
+        return string.IsNullOrEmpty(sanitized) ? "dependabot-nuget" : $"dependabot-nuget-{sanitized}";
+    }
+
     internal static string GetDetectorVersion()
     {
-        var version = Environment.GetEnvironmentVariable("DEPENDABOT_VERSION") ?? "development";
+        var version = Environment.GetEnvironmentVariable("DEPENDABOT_VERSION");
+        if (string.IsNullOrWhiteSpace(version))
+        {
+            version = "development";
+        }
+
         var sha = Environment.GetEnvironmentVariable("DEPENDABOT_UPDATER_SHA");
         if (!string.IsNullOrEmpty(sha))
         {

nuget/script/run

@@ -1,5 +1,8 @@
 #!/bin/bash
 # shellcheck disable=all
 
-export DEPENDABOT_VERSION=$(cat "$DEPENDABOT_HOME/.dependabot-version")
+VERSION_FILE="$DEPENDABOT_HOME/.dependabot-version"
+if [ -f "$VERSION_FILE" ] && [ -s "$VERSION_FILE" ]; then
+  export DEPENDABOT_VERSION=$(cat "$VERSION_FILE")
+fi
 pwsh "$DEPENDABOT_HOME/dependabot-updater/bin/main.ps1" $*