chore(deps): update dependency dotnet.reproduciblebuilds to v2#883
chore(deps): update dependency dotnet.reproduciblebuilds to v2#883
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the
Comment |
  DeepSource reviewed changes in the commit range For detailed review results, please see the PR on DeepSource ↗ PR Report Card
Code Review Summary
How are these analyzer statuses calculated?Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings. |
Changes SummaryThis PR updates the DotNet.ReproducibleBuilds package from version 1.2.39 to 2.0.1, a major version upgrade. This package is used to ensure deterministic and reproducible builds in the .NET project. The major version bump may include breaking changes or new build behavior that should be validated. Type: config Components Affected: build-system, reproducible-builds Files Changed
Architecture Impact
Risk Areas: Build determinism and reproducibility may be affected by v2 changes, Major version upgrades typically include breaking changes or behavior modifications, Build outputs, hashing, or artifact generation could change Suggestions
Full review in progress... | Powered by diffray |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
Review SummaryValidated 2 issues: 1 kept, 1 filtered (low confidence - common valid pattern) Issues Found: 1📋 Full issue list (click to expand)🟡 MEDIUM - Duplicate CI/CD workflows for dependabot/renovate automationAgent: architecture Category: quality Why this matters: Script duplication causes maintenance burden and sync errors. When one script is updated, developers must remember to update all variants, leading to inconsistencies and bugs. File: Description: Four nearly-identical GitHub Actions workflows exist for approving and auto-merging dependency bot PRs. These workflows have significant overlap in functionality, duplicating logic across 95 total lines of YAML when a single parameterized workflow could handle all cases. Suggestion: Consolidate these four workflows into a single reusable workflow that accepts parameters for bot name filtering, approval strategy, and merge conditions. Use workflow_call with inputs to parameterize the bot actor check, approval method, and merge strategy. Confidence: 70% Rule: ℹ️ 1 issue(s) outside PR diff (click to expand)
🟡 MEDIUM - Duplicate CI/CD workflows for dependabot/renovate automationAgent: architecture Category: quality Why this matters: Script duplication causes maintenance burden and sync errors. When one script is updated, developers must remember to update all variants, leading to inconsistencies and bugs. File: Description: Four nearly-identical GitHub Actions workflows exist for approving and auto-merging dependency bot PRs. These workflows have significant overlap in functionality, duplicating logic across 95 total lines of YAML when a single parameterized workflow could handle all cases. Suggestion: Consolidate these four workflows into a single reusable workflow that accepts parameters for bot name filtering, approval strategy, and merge conditions. Use workflow_call with inputs to parameterize the bot actor check, approval method, and merge strategy. Confidence: 70% Rule: Review ID: |
diffray
bot
added
diffray-review-completed
renovate
bot
force-pushed
the
renovate/dotnet.reproduciblebuilds-2.x
branch
from
9d4ba72 to
87c0296
Compare
renovate
bot
force-pushed
the
renovate/dotnet.reproduciblebuilds-2.x
branch
10 times, most recently
from
fbe359a to
5a94570
Compare
renovate
bot
force-pushed
the
renovate/dotnet.reproduciblebuilds-2.x
branch
from
5a94570 to
b673c8f
Compare
rjmurillo
left a comment
rjmurillo
left a comment
There was a problem hiding this comment.
DotNet.ReproducibleBuilds 1.2.39 to 2.0.2: major version bump. Only breaking change is new RPB0003 warning when global.json is missing, which does not apply (project has global.json with pinned SDK version). All CI checks pass.
…915) ## Summary - Disable dependabot for NuGet, consolidate to renovate-only - Consolidate 4 overlapping auto-approve/merge workflows into 1 - Update renovate.json with proper package grouping and exclusion rules - Add `docs/dependency-management.md` documenting package categories and upgrade policies ## Problem Both dependabot and renovate created duplicate PRs for every NuGet update. Dependabot NuGet PRs used "Bump X from A to B" titles that failed the required "Validate PR title" check (conventional commits required), so they could never auto-merge. Four overlapping auto-approve/merge workflows competed with each other, one of which had a broken step referencing a nonexistent step output (`steps.cpr.outputs`). ## Changes ### Dependabot config (`.github/dependabot.yml`) Removed the `nuget` ecosystem. Retained `github-actions` ecosystem (dependabot's fetch-metadata action provides update-type classification for major version gating). ### Workflow consolidation Deleted 3 workflows, kept and expanded 1: - **Deleted:** `auto-approve-and-merge-renovate.yml`, `dependabot-auto-approve.yml`, `dependabot-auto-merge.yml` - **Kept:** `dependabot-approve-and-auto-merge.yml` with separate jobs for dependabot and renovate ### Renovate config (`renovate.json`) - Added `ignoreDeps` for `Microsoft.CodeAnalysis.*` core packages (same policy as former dependabot ignore list) - Grouped `BenchmarkDotNet` + `Perfolizer` as `benchmark-tooling` with `automerge: false` (coordinated updates required due to transitive dependency constraints) - Disabled `System.CommandLine` and `System.CommandLine.Rendering` updates until PerfDiff rewrite (#914) ### Documentation New `docs/dependency-management.md` covers: - Package categories (shipped, build-time, test, benchmark, tools, infrastructure) - Upgrade policies per category - The VersionOverride pattern for non-shipped projects - Lessons from the CS8032/SCI incident (#850) ## Bot PR cleanup performed | Action | PRs | |--------|-----| | Closed (dependabot duplicates) | #903, #902, #890, #880, #909 | | Closed (superseded) | #877 (Meziantou 2.0.302, superseded by 3.x) | | Closed (build failures) | #834 (BenchmarkDotNet), #832 (Perfolizer) | | Closed (PerfDiff breakage) | #821 (dotnet monorepo) | | Merged | #878, #882, #881, #879, #883, #884 | ## Validation - `dotnet build /p:PedanticMode=true`: 0 warnings, 0 errors - `dotnet format`: no changes needed - Tests cannot run locally (machine has .NET 10 only, test TFM is net8.0); CI will validate ## Test plan - [ ] CI build passes - [ ] All tests pass - [ ] No new bot PRs from dependabot for NuGet packages - [ ] Renovate correctly picks up future dependency updates - [ ] Auto-approve/merge workflow fires for new renovate PRs 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Consolidated dependency-update process: moved NuGet management to Renovate, removed several automated auto-approve/auto-merge workflows for bot PRs, and adjusted automerge/approval behavior and rules. * Renovate configuration updated with new groups, ignore lists, and automerge adjustments. * **Documentation** * Added a dependency management guide detailing categories, upgrade policies, configuration patterns, and workflow recommendations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com>
1 participant
This PR contains the following updates:
1.2.39→2.0.2Release Notes
dotnet/reproducible-builds (DotNet.ReproducibleBuilds)
v2.0.2What's Changed
Full Changelog: dotnet/reproducible-builds@v2.0.1...v2.0.2
v2.0.1What's Changed
Full Changelog: dotnet/reproducible-builds@v1.2.39...v2.0.1
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.