From 9e0b382ef8d7596747c3e04e9322bacd503d828d Mon Sep 17 00:00:00 2001 From: Chris Wolfgang <210299580+Chris-Wolfgang@users.noreply.github.com> Date: Wed, 25 Mar 2026 13:58:25 -0400 Subject: [PATCH 1/2] Add CycloneDX SBOM generation to release workflow Generate Software Bill of Materials for each source project during the pack-and-validate job. SBOM files are included in release artifacts alongside NuGet packages. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yaml | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 42e8dcd..95a73a1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,7 +27,6 @@ jobs: uses: actions/setup-dotnet@v4 with: dotnet-version: | - 3.1.x 5.0.x 6.0.x 7.0.x @@ -162,7 +161,6 @@ jobs: --no-build ` --no-restore ` --collect:"XPlat Code Coverage" ` - --settings coverlet.runsettings ` --results-directory "./TestResults" ` --logger "console;verbosity=minimal" @@ -184,7 +182,6 @@ jobs: --no-build ` --no-restore ` --collect:"XPlat Code Coverage" ` - --settings coverlet.runsettings ` --results-directory "./TestResults" ` --logger "console;verbosity=minimal" } else { @@ -303,7 +300,6 @@ jobs: uses: actions/setup-dotnet@v4 with: dotnet-version: | - 3.1.x 5.0.x 6.0.x 7.0.x @@ -473,6 +469,34 @@ jobs: Pop-Location } + - name: Generate SBOM (CycloneDX) + if: steps.check-packages.outputs.has-packages == 'true' + shell: pwsh + run: | + dotnet tool install --global CycloneDX + + $sbomDir = Join-Path $PWD 'nuget-packages' + $srcProjects = Get-ChildItem -Path 'src' -Filter '*.csproj' -Recurse -ErrorAction SilentlyContinue + + if ($srcProjects.Count -eq 0) { + Write-Warning "No projects found in src/ - skipping SBOM generation" + return + } + + foreach ($proj in $srcProjects) { + $sbomName = "$($proj.BaseName).bom.json" + $sbomPath = Join-Path $sbomDir $sbomName + + Write-Host "📋 Generating SBOM for $($proj.Name)" -ForegroundColor Cyan + dotnet CycloneDX $proj.FullName --output $sbomDir --filename $sbomName --json + + if ($LASTEXITCODE -ne 0) { + Write-Warning "⚠️ SBOM generation failed for $($proj.Name) - continuing" + } else { + Write-Host "✅ SBOM generated: $sbomName" -ForegroundColor Green + } + } + - name: Upload NuGet packages uses: actions/upload-artifact@v4 with: @@ -592,5 +616,6 @@ jobs: tag_name: ${{ github.event.release.tag_name }} files: | ./nuget-packages/*.nupkg + ./nuget-packages/*.bom.json release-coverage.zip From bf743ef0a565389e24f9b7e5c027dc2a382e310c Mon Sep 17 00:00:00 2001 From: Chris Wolfgang <210299580+Chris-Wolfgang@users.noreply.github.com> Date: Thu, 26 Mar 2026 13:05:35 -0400 Subject: [PATCH 2/2] Restore --settings coverlet.runsettings to release workflow tests The coverlet.runsettings flag was accidentally removed, which would cause netstandard TFM assemblies to be included in coverage and skew aggregate numbers. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 95a73a1..5b2ab18 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -161,9 +161,10 @@ jobs: --no-build ` --no-restore ` --collect:"XPlat Code Coverage" ` + --settings coverlet.runsettings ` --results-directory "./TestResults" ` --logger "console;verbosity=minimal" - + if ($LASTEXITCODE -ne 0) { Write-Error "❌ Tests failed (no explicit TargetFramework) in $($testProj.Name)" exit $LASTEXITCODE @@ -182,6 +183,7 @@ jobs: --no-build ` --no-restore ` --collect:"XPlat Code Coverage" ` + --settings coverlet.runsettings ` --results-directory "./TestResults" ` --logger "console;verbosity=minimal" } else {