Pin NuGet release build to tested commit SHA

[Freezor]

Motivation

• For workflow_dispatch the ref input defaults to main, which can advance between jobs and allow build-pack-push to run on a different commit than the one that passed tests. This breaks the intended hard gate.

Description

• Added a resolved_sha job output on test-gate populated by a new Resolve checked out commit SHA step that runs git rev-parse HEAD after checkout.
• Wired test-gate output into build-pack-push by changing the second job's checkout ref to needs.test-gate.outputs.resolved_sha.
• This ensures the package is built and published from the exact commit that passed the blocking tests.

Testing

• Ran git diff --check which succeeded.
• Ran git status --short which showed the updated workflow file.
• Ran git show --stat --oneline HEAD to verify the change was committed successfully.

---

Codex Task

Summary by CodeRabbit

• Chores
  • Improved release workflow consistency by implementing shared commit reference resolution across build jobs, enhancing the reliability of the release process.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3aefd086-0e06-4009-adea-60dec3eac240

📥 Commits

Reviewing files that changed from the base of the PR and between 13e40aa and 1d3bf6d.

📒 Files selected for processing (1)

• .github/workflows/release-nuget.yml

---

Walkthrough

The PR modifies the release-nuget GitHub Actions workflow to ensure both the test-gate and build-pack-push jobs use the same resolved commit SHA. A new resolve_sha step is added to compute the current commit SHA and export it as a job output, which is then referenced by the subsequent job for consistency.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/release-nuget.yml	Added resolved_sha job output to the test-gate job with a new resolve_sha step that computes the commit SHA via git rev-parse HEAD. Updated the build-pack-push job's checkout to reference the resolved SHA from test-gate output instead of using the input-derived ref.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pin NuGet release build to tested commit SHA' directly and concisely describes the primary change: ensuring the build uses the specific tested commit rather than a potentially different one.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/pass-commit-sha-from-test-gate-to-build-pack-push

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}