Use NuGet/login in CI and bump dependencies#41
Conversation
Replace manual OIDC token retrieval with NuGet/login@v1 in the GitHub Actions workflow and use its NUGET_API_KEY output for dotnet nuget push; add packages: write permission. Add permissions: read-all to the CodeQL workflow. Update test project packages (xunit.runner.visualstudio 2.8.2 -> 3.1.5, coverlet.collector 6.0.4 -> 8.0.0) and bump System.Text.Json in the main project (8.0.6 -> 10.0.3). These changes simplify NuGet authentication and bring dependencies up to newer supported versions.
There was a problem hiding this comment.
Pull request overview
Simplifies CI publishing by switching NuGet authentication to NuGet/login@v1, adjusts GitHub Actions permissions, and bumps several .NET package dependencies for the NuGet library and its tests.
Changes:
- Replace manual NuGet OIDC token retrieval with
NuGet/login@v1and use its output fordotnet nuget push. - Update workflow permissions (add
packages: writewhere needed; add workflow-levelread-allto CodeQL). - Bump .NET dependencies:
System.Text.Json(library) andxunit.runner.visualstudio/coverlet.collector(tests).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/NuGet/ColonesExchangeRate/ColonesExchangeRate.csproj |
Bumps System.Text.Json dependency version. |
src/NuGet/ColonesExchangeRate.Tests/ColonesExchangeRate.Tests.csproj |
Updates test runner/coverage collector package versions. |
.github/workflows/workflow.yaml |
Switches NuGet publish auth to NuGet/login@v1 and updates job permissions for publishing. |
.github/workflows/codeql.yml |
Adds workflow-level permissions configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.0.1" /> | ||
| <PackageReference Include="xunit" Version="2.9.3" /> | ||
| <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2"> | ||
| <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5"> | ||
| <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> | ||
| <PrivateAssets>all</PrivateAssets> | ||
| </PackageReference> | ||
| <PackageReference Include="coverlet.collector" Version="6.0.4"> | ||
| <PackageReference Include="coverlet.collector" Version="8.0.0"> |
There was a problem hiding this comment.
xunit.runner.visualstudio was bumped to a new major version (3.1.5) while the test framework package is still xunit 2.9.3. This combination is likely incompatible and can result in tests not being discovered/run by dotnet test. Align the major versions (either keep the runner/adapter on the v2 line, or migrate the test framework to the matching major version).
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| permissions: read-all | ||
|
|
There was a problem hiding this comment.
permissions: read-all at the workflow level is redundant here because the analyze job defines its own explicit permissions block (which overrides the workflow-level setting). Keeping read-all also increases the default token scope for any future jobs added without explicit permissions; consider removing the workflow-level read-all and relying on the job’s least-privilege permissions instead.
| permissions: read-all |
There was a problem hiding this comment.
@copilot removing permissions will cause CodeQL can't run the static analysis.
|
@dsanchezcr I've opened a new pull request, #42, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@dsanchezcr I've opened a new pull request, #43, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: dsanchezcr <10506023+dsanchezcr@users.noreply.github.com>
Fix xunit major version mismatch in test project
Replace manual OIDC token retrieval with NuGet/login@v1 in the GitHub Actions workflow and use its NUGET_API_KEY output for dotnet nuget push; add packages: write permission. Add permissions: read-all to the CodeQL workflow. Update test project packages (xunit.runner.visualstudio 2.8.2 -> 3.1.5, coverlet.collector 6.0.4 -> 8.0.0) and bump System.Text.Json in the main project (8.0.6 -> 10.0.3). These changes simplify NuGet authentication and bring dependencies up to newer supported versions.