fix: resolve CS8032 assembly version mismatch (#850)

[rjmurillo]

Summary

Fixes #850. The analyzer was broken for all users on v0.4.0 because the shipped DLLs referenced System.Collections.Immutable versions that don't exist in the user's compiler host:

• Moq.Analyzers.dll referenced SCI 10.0.0.0 (via transitive pin from Renovate PR chore(deps): update dotnet monorepo to v10 (major) #822)
• Bundled AnalyzerUtilities.dll (v4.14.0) referenced SCI 9.0.0.0
• .NET 8 SDK hosts only provide SCI 8.0.0.0, causing CS8032 on every build

Root cause fix

• Downgrade SCI transitive pin: 10.0.0 -> 8.0.0
• Downgrade AnalyzerUtilities: 4.14.0 -> 3.3.4 (its bundled DLL also referenced SCI 9.0.0.0; v3.3.4 references SCI 1.2.3.0, compatible with all hosts)
• Add SCI VersionOverride in Benchmarks project (not shipped, needs higher version for TraceEvent)

Defense in depth (prevent recurrence)

Layer	What	When
MSBuild target	ValidateAnalyzerHostCompatibility in Packaging.targets	Every build (local + CI)
Unit test	AnalyzerAssemblyCompatibilityTests checks all 3 shipped DLLs	Every test run
Renovate rule	automerge: false + analyzer-compat label for SCI, SRM, AnalyzerUtilities	Every Renovate PR
Dependabot ignore	SCI + System.Reflection.Metadata added to ignore list	Dependabot scheduling
Comments	Warning in Directory.Packages.props	Human reads the file

Verified assembly references after fix

Moq.Analyzers.dll         -> SCI 8.0.0.0  (was 10.0.0.0)
Moq.CodeFixes.dll         -> SCI 8.0.0.0
AnalyzerUtilities.dll     -> SCI 1.2.3.0  (was 9.0.0.0)

Test plan

• Build succeeds with 0 errors, 0 warnings
• All 1928 existing tests pass (no regressions)
• 3 new AnalyzerAssemblyCompatibilityTests pass
• Assembly references verified: all shipped DLLs reference SCI <= 8.0.0.0
• CI passes
• Manual: reference locally-built nupkg from a net8.0 project, confirm no CS8032

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests

  • Added analyzer assembly compatibility tests to verify shipped analyzers load correctly across supported hosts.

• Documentation

  • Enhanced contribution guide with instructions for running CI workflows locally.

• Chores

  • Added CI build/test/load-test steps and standardized artifact handling and matrices.
  • Enforced packaging checks and updated dependency pins; added tooling overrides and a Renovate rule requiring manual review for analyzer-related dependency updates.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds packaging-time MSBuild validation to cap System.Collections.Immutable and System.Reflection.Metadata major versions, pins corresponding packages, updates CI to validate shipped analyzers and packaging, adds local "gh act" guidance, and adds test/override entries to ensure non-shipped tooling can use newer SCI.

Changes

Cohort / File(s)	Summary
Dependabot / Renovate rules .github/dependabot.yml, renovate.json	Added ignore/automation rules for analyzer-related packages (System.Collections.Immutable, System.Reflection.Metadata, Microsoft.CodeAnalysis.AnalyzerUtilities) and labeled them analyzer-compat.
Package pins Directory.Packages.props	Pinned Microsoft.CodeAnalysis.AnalyzerUtilities -> 3.3.4 and System.Collections.Immutable -> 8.0.0 with explanatory comments about host compatibility.
MSBuild packaging validation build/targets/packaging/Packaging.targets, Directory.Build.targets	New Packaging.targets import and ValidateAnalyzerHostCompatibility target that inspects resolved compile file definitions and fails packaging if SCI or SRM major versions exceed configured maxima (8).
CI workflows .github/workflows/main.yml, .github/workflows/release.yml	Added build job steps to validate shipped analyzer DLLs, new analyzer-load-test job to exercise analyzer loading across targets/runners, consolidated artifact uploads, and simplified named artifact download in release workflow.
Local CI docs CONTRIBUTING.md	New "Running Workflows Locally with gh act" section with commands, matrix filtering, artifact handling, secrets guidance, and limitations.
Non-shipped overrides src/tools/PerfDiff/PerfDiff.csproj, tests/Moq.Analyzers.Benchmarks/...csproj	Added PackageReference/VersionOverride for System.Collections.Immutable (10.0.0) to allow newer SCI in tooling/benchmarks that are not shipped.
Runtime/test validation tests/Moq.Analyzers.Test/AnalyzerAssemblyCompatibilityTests.cs	New test that loads shipped analyzer assemblies in a collectible AssemblyLoadContext and asserts bundled/reference SCI and SRM major versions do not exceed configured maxima.
Minor workflow config .github/dependabot.yml	Added three NuGet ignore entries for the analyzer-related packages.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHubActions as "GitHub Actions (main)"
    participant MSBuild as "MSBuild / dotnet"
    participant PackagingTargets as "Packaging.targets"
    participant ArtifactStore as "Artifacts / NuGet package"

    Developer->>GitHubActions: push / PR triggers workflow
    GitHubActions->>MSBuild: restore & ResolvePackageAssets
    MSBuild->>PackagingTargets: After ResolvePackageAssets -> ValidateAnalyzerHostCompatibility
    PackagingTargets->>MSBuild: inspect @(ResolvedCompileFileDefinitions)
    PackagingTargets->>MSBuild: compare major versions (SCI / SRM) vs ceilings
    alt version exceeds ceiling
        PackagingTargets->>GitHubActions: fail build with descriptive error
    else within limits
        MSBuild->>ArtifactStore: produce package/artifacts
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Update release.yml to use Ubuntu package instead of Windows #304 — Related changes to the release workflow's package download step (artifact selection).
• Add reference to Microsoft.CodeAnalysis.AnalyzerUtilities and delete forked methods #290 — Related package/reference changes around Microsoft.CodeAnalysis.AnalyzerUtilities and analyzer packaging.
• feat(ci): automate and enhance performance validation, add semantic PR checks, and consolidate build steps #562 — Related CI/performance workflow enhancements and artifact/baseline handling.

Suggested labels

bug, dependencies, build, releasable, github_actions

Suggested reviewers

• MattKotsenas

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary fix: resolving CS8032 assembly version mismatch, which is the core issue addressed by downgrading System.Collections.Immutable and related dependencies.
Linked Issues check	✅ Passed	The PR comprehensively addresses issue #850's requirements [#850]: downgraded SCI to 8.0.0, downgraded AnalyzerUtilities to 3.3.4, added validation MSBuild target, added unit tests for compatibility, and added Renovate/Dependabot guards to prevent future regressions.
Out of Scope Changes check	✅ Passed	All changes are directly related to resolving issue #850: package downgrades, validation infrastructure, CI/CD workflow updates, documentation, and dependency overrides are all in-scope for fixing the CS8032 assembly version mismatch.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/850-system-collections-immutable-version-mismatch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @rjmurillo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses and resolves a critical CS8032 assembly version mismatch error that impacted all users of v0.4.0 of the analyzer. The problem originated from the analyzer referencing versions of System.Collections.Immutable and Microsoft.CodeAnalysis.AnalyzerUtilities that were newer than what the .NET 8 SDK host provides. The solution involves carefully downgrading these specific dependencies and implementing a comprehensive set of defense-in-depth measures, including new build-time validation, dedicated unit tests, and updated dependency management configurations, to ensure long-term stability and prevent similar compatibility issues from recurring.

Highlights

• Resolved CS8032 Error: Fixed the assembly version mismatch error (CS8032) that prevented the analyzer from loading in .NET 8 SDK hosts by addressing incompatible dependency versions.
• Dependency Downgrades: Downgraded the System.Collections.Immutable package from version 10.0.0 to 8.0.0 and Microsoft.CodeAnalysis.AnalyzerUtilities from 4.14.0 to 3.3.4 to ensure compatibility with the .NET 8 SDK host's provided assemblies.
• Build-Time Compatibility Validation: Introduced a new MSBuild target, ValidateAnalyzerHostCompatibility, which enforces version ceilings on host-provided packages during the build process to prevent future regressions.
• Runtime Compatibility Tests: Added AnalyzerAssemblyCompatibilityTests to programmatically verify that shipped analyzer DLLs do not reference versions of System.Collections.Immutable or System.Reflection.Metadata that exceed the minimum supported SDK host's capabilities.
• Preventative Dependency Management: Configured Dependabot to ignore System.Collections.Immutable and System.Reflection.Metadata, and added a Renovate rule to disable automerge and require manual review for updates to these and Microsoft.CodeAnalysis.AnalyzerUtilities.

Changelog

• .github/dependabot.yml
  • Added System.Collections.Immutable and System.Reflection.Metadata to the ignore list to prevent automatic updates that could cause compatibility issues.
• Directory.Build.targets
  • Imported the new Packaging.targets file to integrate the analyzer host compatibility validation into the build process.
• Directory.Packages.props
  • Downgraded the Microsoft.CodeAnalysis.AnalyzerUtilities package version to 3.3.4 and System.Collections.Immutable to 8.0.0.
  • Added detailed comments explaining the rationale for these specific package versions and their impact on analyzer compatibility.
• build/targets/packaging/Packaging.targets
  • Added a new MSBuild target file that defines ValidateAnalyzerHostCompatibility to check for System.Collections.Immutable version compatibility during builds for shipped analyzer projects.
• renovate.json
  • Added a new package rule to disable automerge and apply an analyzer-compat label for updates to System.Collections.Immutable, System.Reflection.Metadata, and Microsoft.CodeAnalysis.AnalyzerUtilities, requiring manual review.
• tests/Moq.Analyzers.Benchmarks/Moq.Analyzers.Benchmarks.csproj
  • Added a VersionOverride for System.Collections.Immutable to 10.0.0 for the benchmarks project, as it is not shipped and has different dependency requirements.
• tests/Moq.Analyzers.Test/AnalyzerAssemblyCompatibilityTests.cs
  • Added a new test file containing AnalyzerAssemblyCompatibilityTests to programmatically verify that shipped analyzer DLLs adhere to the maximum allowed assembly versions for host-provided packages.

Activity

• The build process completed successfully with no errors or warnings.
• All 1928 existing unit tests passed, confirming no regressions were introduced.
• Three new AnalyzerAssemblyCompatibilityTests were added and passed, validating the assembly compatibility checks.
• Assembly references for shipped DLLs were verified to ensure they align with the required versions.
• CI checks are expected to pass.
• Manual verification of the locally-built NuGet package in a .NET 8.0 project is planned to confirm the absence of CS8032 errors.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[deepsource-io]

DeepSource Code Review

DeepSource reviewed changes in the commit range 6ec810c..49ad078 on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.

For detailed review results, please see the PR on DeepSource ↗

PR Report Card

Security	× 0 issues		Overall PR Quality    Focus Area: Complexity Guidance Fix inefficient method of obtaining current assembly in `tests/Moq.Analyzers.Test/AnalyzerAssemblyCompatibilityTests.cs`.
Reliability	× 0 issues
Complexity	× 4 issues
Hygiene	× 0 issues

Code Review Summary

Analyzer	Status	Summary	Details
C#		4 new issues detected.	Review ↗

How are these analyzer statuses calculated?

Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings.

[gemini-code-assist]

Code Review

This pull request provides a comprehensive fix for the CS8032 assembly version mismatch issue. The changes correctly downgrade System.Collections.Immutable and Microsoft.CodeAnalysis.AnalyzerUtilities to versions compatible with the minimum supported SDK host. The addition of multiple 'defense in depth' layers, including a new MSBuild validation target, unit tests, and dependency management configurations, is an excellent strategy to prevent this issue from recurring. The code is high quality and the approach is very thorough. I have one suggestion to further improve the new MSBuild validation target for even better consistency across the new preventative measures.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅ (target: 95.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (6ec810c)	2045	1819	88.95%
Head commit (40802cc)	2045 (+0)	1819 (+0)	88.95% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#888)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/main.yml:
- Around line 59-63: Replace the brittle hardcoded $shippedDlls array with
dynamic glob-based discovery: locate the $shippedDlls variable and change its
assignment to gather DLLs via a recursive glob pattern (e.g., matching
artifacts/bin/**/release/*.dll) and optional name filters to keep only the
intended assemblies; ensure you preserve any existing explicit filtering
semantics (for example by filtering on filename prefixes like "Moq.Analyzers" or
an allowlist) so the workflow validates the same set of shipped assemblies while
tolerating output-structure changes.