VCST-5372: Distribute NuGet vulnerability-audit settings to module repos#75
Open
AndrewEhlo wants to merge 13 commits into
Open
VCST-5372: Distribute NuGet vulnerability-audit settings to module repos#75AndrewEhlo wants to merge 13 commits into
AndrewEhlo wants to merge 13 commits into
Conversation
# Conflicts: # .github/workflows/build.yml # .github/workflows/deploy-cloud.yml # .github/workflows/deploy-module-workflows.yml # .github/workflows/deploy.yml # .github/workflows/docker-image-vulnerability-process.yml # .github/workflows/publish-docker.yml # .github/workflows/publish-github.yml # .github/workflows/pytest-tests.yml # .github/workflows/release.yml # .github/workflows/test-and-sonar.yml # deprecated/workflows/e2e-autotests.yml # deprecated/workflows/e2e.yml # deprecated/workflows/get-metadata.yml # deprecated/workflows/increment-version.yml # deprecated/workflows/ui-autotests.yml # workflow-templates/module-ci.yml # workflow-templates/module-deploy.yml # workflow-templates/module-release-hotfix.yml # workflow-templates/publish-nugets.yml # workflow-templates/release.yml
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 830ff39. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Distribute NuGet vulnerability-audit settings to module repos
Adds a mechanism to centrally distribute shared MSBuild build props (starting with NuGet vulnerable-dependency auditing) to all
vc-module-*repos, mirroring how workflow templates are already deployed.What & why
Modules build with
TreatWarningsAsErrors=true, so NuGet audit advisories (NU190x) fail CI. This centralizes the audit policy in one owned file instead of per-repo config drift.common-build-props/nuget-audit.props— owned audit config:NuGetAudit=true,NuGetAuditMode=all,NuGetAuditLevel=high, plus a per-advisory suppress list (bluntNoWarnavoided so new high/critical vulns still surface).deploy-module-build-props.yml— new manual workflow. Copies the props into each module and injects a marker-delimited<Import>into the module's ownDirectory.Build.props— imported, never overwritten, so per-module settings (VersionPrefix, etc.) are preserved. Fails loudly if a module has noDirectory.Build.props.scripts/ensure-build-props-import.sh— shared copy+inject logic (idempotent), used by both the deploy workflow and module creation.modules.json— single source of the module list, consumed via apreparejob +fromJsonmatrix. Replaces the inline matrix indeploy-module-workflows.yml; both workflows now read it.create-module-repository.yml— registers new repos inmodules.jsonand scaffolds the audit import so new modules ship with auditing on.Note
Medium Risk
PAT-driven pushes across ~90 module
devbranches can fail builds module-wide once audit props land; script errors on malformedDirectory.Build.propscould block deploy jobs for individual repos.Overview
Adds central distribution of shared MSBuild build props (starting with
nuget-audit.props) to allvc-module-*repos, parallel to workflow template deploys. Modules keep their ownDirectory.Build.props; a marker-managed<Import>block is injected or refreshed without overwriting module settings.New pieces:
common-build-props/nuget-audit.props(audit on, high+ severity, per-advisory suppress list),scripts/ensure-build-props-import.sh(copy props + inject/refresh imports; fails ifDirectory.Build.propsis missing), andDeploy Module build props(deploy-module-build-props.yml) — matrix deploy to each module’sdevbranch with archived/no-op handling.Module list: Inline repo matrix in
deploy-module-workflows.ymlmoves to rootmodules.json. Both deploy workflows use apreparejob (jq→fromJsonmatrix).create-module-repository.ymlscaffolds audit imports for new modules and appends repos tomodules.json(replacing YAML regex edits). Workflow deploy also targetsdevexplicitly and pushes withHEAD:dev.Docs in README describe build-props and
modules.json. Reusable workflow references bump to v3.800.41 (VCST-5372).Reviewed by Cursor Bugbot for commit d72f434. Bugbot is set up for automated code reviews on this repo. Configure here.