Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/changelog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ name: Draft changelog
# requests merged since that train's last tag, then opens a pull request so a human
# can review it (and delete any benefit the model inferred rather than found)
# before merging. The trains version independently and keep separate changelogs:
# lib -> CHANGELOG.md (FirstClassErrors + FirstClassErrors.Testing)
# lib -> CHANGELOG.md (FirstClassErrors + FirstClassErrors.Testing + FirstClassErrors.RequestBinder)
# cli -> FirstClassErrors.Cli/CHANGELOG.md (the fce .NET tool)
# dum -> Dummies/CHANGELOG.md (the standalone Dummies library)
on:
Expand Down Expand Up @@ -94,7 +94,7 @@ jobs:
echo "Collected $(jq 'length' prs.json) ${COMPONENT}-facing pull request(s) for this changelog."
# COMPONENT is a choice input (lib|cli|dum only), safe to pass straight through.
# from_ref is free text, so it travels via the environment (never inlined
# into the script) and is only ever handed to `git log`.
# into the script) and is only ever passed to git (rev-parse, then log) as a ref argument.

- name: Draft the changelog entry with Claude
if: steps.collect.outputs.count != '0'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-automerge.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: dependabot-automerge

# Palier A of the Dependabot automation policy: for Dependabot PRs, enable
# The low-friction lane of the Dependabot automation policy: for Dependabot PRs, enable
# GitHub auto-merge on patch and minor updates so they merge on their own once
# the required checks pass. Major updates are deliberately left untouched for
# human review.
Expand Down
31 changes: 18 additions & 13 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: release
on:
push:
# Publish on a train-prefixed semantic-version tag. The trains version independently:
# lib-v1.2.3 -> FirstClassErrors + FirstClassErrors.Testing
# lib-v1.2.3 -> FirstClassErrors + FirstClassErrors.Testing + FirstClassErrors.RequestBinder
# cli-v1.2.3 -> FirstClassErrors.Cli (the fce .NET tool)
# dum-v1.2.3 -> Dummies (the standalone arbitrary-test-value library)
tags:
Expand All @@ -27,12 +27,13 @@ on:
# pack, SBOM generation, OIDC and the attestation permissions only ever execute in production
# conditions. Three defects were found here that were invisible from the repository (the
# +metadata regex, the nuget.org re-signing mismatch, the dispatch-tag target). Dry run makes
# all of it testable on demand: everything runs up to AND INCLUDING the attestation — which
# deliberately stays in, since OIDC/permission failures are exactly what it rehearses — while
# NuGet login, the push and the GitHub Release are skipped. Defaults to true so an accidental
# dispatch publishes nothing; publishing requires explicitly unticking it.
# all of it testable on demand: everything runs up to AND INCLUDING the attestation and the OIDC
# login — both deliberately stay in, since OIDC/permission failures are exactly what a dry run
# rehearses — while the steps that actually publish (the NuGet push, the GitHub Release, and,
# on the cli train, the error-catalog baseline refresh) are skipped. Defaults to true so an
# accidental dispatch publishes nothing; publishing requires explicitly unticking it.
dry_run:
description: 'Dry run: stop after pack + attestation; skip NuGet push and the GitHub Release'
description: 'Dry run: stop after pack + attestation; skip the publish steps (NuGet push, GitHub Release, cli catalog-baseline refresh)'
type: boolean
default: true

Expand All @@ -59,7 +60,9 @@ jobs:
# build + test + pack + attest + push is ~4 min; cap a hung release rather than the 6-hour default.
timeout-minutes: 20
permissions:
# Create the GitHub Release and upload the attested .nupkg/.snupkg as its assets (see the publish step).
# Two uses of the write scope: create the GitHub Release and upload the attested .nupkg/.snupkg as its
# assets (the publish step), and — on a cli release — push the refreshed error-catalog baseline straight
# to main (the baseline-refresh step, the one direct-to-main write in this pipeline).
contents: write
# Request a GitHub OIDC token, exchanged for a short-lived NuGet API key via trusted publishing
# (no long-lived NUGET_API_KEY secret is stored).
Expand Down Expand Up @@ -186,9 +189,10 @@ jobs:
fi
echo "ok: GenDoc's error catalog has a breaking change since $PREVIOUS_TAG, matched by the major version bump ($PREVIOUS_MAJOR -> $NEW_MAJOR)."

# Pack only the train this release targets (lib -> FirstClassErrors + .Testing; cli -> the fce
# tool; dum -> Dummies), so a lib release never republishes the CLI and vice versa. The analyzer is bundled inside the main
# package and the GenDoc worker inside the CLI tool; the samples are not published.
# Pack only the train this release targets (lib -> FirstClassErrors + .Testing + .RequestBinder;
# cli -> the fce tool; dum -> Dummies), so a lib release never republishes the CLI and vice versa.
# The analyzer is bundled inside the main package and the GenDoc worker inside the CLI tool; the
# samples are not published.
# GenerateSBOM activates Microsoft.Sbom.Targets in each packable project: each package embeds its SPDX
# inventory at _manifest/spdx_2.2/manifest.spdx.json. tools/packaging/pack.sh is the single source of
# truth (packed projects per train, flags, embedded SBOM, and the SBOM-present check); the
Expand Down Expand Up @@ -233,9 +237,10 @@ jobs:
# trusted-publishing policy, so rehearsing it here makes a dry run fail red when the policy or
# NUGET_USER is missing/misconfigured — instead of only ever finding out during a real release. It
# mints a short-lived, single-use key that a dry run never spends (the push below is skipped). Only the
# steps that actually PUBLISH — the push and the GitHub Release — are gated off on a dry run: a tag
# push always publishes (inputs.* is empty on push, so the event check short-circuits first); a manual
# dispatch publishes only with dry_run explicitly unticked.
# steps that actually PUBLISH — the push, the GitHub Release, and (on the cli train) the error-catalog
# baseline refresh — are gated off on a dry run: a tag push always publishes (inputs.* is empty on
# push, so the event check short-circuits first); a manual dispatch publishes only with dry_run
# explicitly unticked.
- name: NuGet login (OIDC)
id: nuget-login
uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1
Expand Down