[ci] Scope Dependabot NuGet scanning to stable-SDK directories#11522
Open
jonathanpeppers wants to merge 1 commit into
Open
[ci] Scope Dependabot NuGet scanning to stable-SDK directories#11522jonathanpeppers wants to merge 1 commit into
jonathanpeppers wants to merge 1 commit into
Conversation
Dependabot's NuGet job has been failing on main with `dependency_file_not_found` / `MissingFileException`. Root cause: Dependabot's container only ships the previous-stable .NET SDK (currently 10.0) with no Android workload, while `main` always targets the next .NET release. MSBuild evaluation aborts on any `net*-android` csproj, killing the job. Replace `directory: /` with a `directories:` allow-list of folders that build cleanly against the stable SDK with no Android workload: /build-tools, /tools, and /src/Xamarin.Android.Build.Tasks. This is permanent — main will always be one release ahead of Dependabot — so we accept that packages only referenced from net*-android projects won't get automatic update PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Scopes Dependabot NuGet scanning to only the subset of the repo that can be evaluated using the stable .NET SDK inside Dependabot’s container (without requiring the Android workload), preventing the weekly NuGet update job from failing on main.
Changes:
- Restricts the NuGet ecosystem update configuration from the repo root to an explicit allow-list of directories.
- Adds in-file documentation explaining why scoping is required and how to extend the list in the future.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependabot's weekly NuGet job has been failing on
main(e.g. run 26533399988) withdependency_file_not_found/MissingFileException. The container Dependabot uses only ships the previous-stable .NET SDK (currently10.0.103) and has no Android workload, whilemainalways targets the next .NET release. MSBuild evaluation aborts on everynet*-androidcsproj and on classic-style binding test projects, killing the run.This is a permanent condition: as long as
mainis one release ahead of stable, Dependabot will never be able to evaluate workload-dependent projects. The fix scopes Dependabot to a curated allow-list of folders that build cleanly against the stable SDK with no Android workload:/build-tools(10 projects —xa-prep-tasks,BootstrapTasks,xaprepare,jnienv-gen, ...)/tools(11 projects —assembly-store-reader,decompress-assemblies,relnote-gen, ...)/src/Xamarin.Android.Build.Tasks(4 projects — highest-value, holds most third-partyPackageReferences)Verified each candidate uses only
$(DotNetStableTargetFramework)(=net10.0) ornetstandard2.0, and none import workload-specific targets.Trade-off
Packages referenced only by
net*-androidprojects (e.g. dependencies pulled in byMono.Android-Tests) will not get Dependabot update PRs. We're accepting that to keep the weekly job green; partial coverage is better than total failure. The allow-list will need occasional extension when a new non-workload project shows up in a different folder, hence the comment independabot.yml.The other Dependabot entries (
gradle,gitsubmodule) are unchanged.