Bump NuGet dependencies (Polyfill 10.0.0, Spectre.Console 0.55.0, TUnit 1.28.7)#423
Bump NuGet dependencies (Polyfill 10.0.0, Spectre.Console 0.55.0, TUnit 1.28.7)#423
Conversation
…8.7) - Polyfill 9.24.0 → 10.0.0 (major: Directory polyfills now use C# 14 extension syntax; not used via Polyfill.* in this repo) - Spectre.Console 0.54.0 → 0.55.0 (minor: Style is now a struct; not used directly in this repo) - Spectre.Console.ImageSharp 0.54.0 → 0.55.0 - TUnit 1.24.18 → 1.28.7 (minor: new AggregateException assertions, mock perf, race condition fix in parallel tests) Group all NuGet update types (major+minor+patch) in dependabot.yml to prevent future conflicts between standalone major-bump PRs and the minor/patch group PR. Extend the lock-file regeneration workflow to also run for deps/* branches (previously only triggered for dependabot[bot] actor). https://claude.ai/code/session_01TAbeYaM8tVgQZp7meWf3Qy
There was a problem hiding this comment.
Pull request overview
Consolidates multiple Dependabot updates into a single dependency bump and adjusts automation to reduce future dependency-update PR conflicts while keeping NuGet lock files in sync.
Changes:
- Bump NuGet package versions: Polyfill 10.0.0, Spectre.Console(+ImageSharp) 0.55.0, TUnit 1.28.7.
- Update Dependabot grouping to include major NuGet updates in the existing
nuget-dependenciesgroup. - Expand the lockfile-regeneration workflow to also run for PR branches prefixed with
deps/.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Directory.Packages.props | Updates centrally-managed NuGet dependency versions. |
| .github/workflows/dependabot-lockfile.yml | Broadens the lockfile-fix job trigger condition to include deps/* branches. |
| .github/dependabot.yml | Adds major to the NuGet dependency group’s update-types to avoid split PRs. |
| fix-lock-files: | ||
| name: Fix Lock Files | ||
| if: github.actor == 'dependabot[bot]' | ||
| if: github.actor == 'dependabot[bot]' || startsWith(github.head_ref, 'deps/') |
There was a problem hiding this comment.
The job condition allows any PR branch named deps/* to run with contents: write and will try to checkout/git push the head branch. For PRs coming from forks, github.head_ref isn’t a ref in this repo and pushing back will fail (and the write permission is broader than intended). Consider tightening the condition to only allow deps/* when github.event.pull_request.head.repo.full_name == github.repository (or similar) and keep Dependabot as the other allowed path.
| if: github.actor == 'dependabot[bot]' || startsWith(github.head_ref, 'deps/') | |
| if: github.actor == 'dependabot[bot]' || (startsWith(github.head_ref, 'deps/') && github.event.pull_request.head.repo.full_name == github.repository) |
Summary
Consolidates the conflicting Dependabot PRs #421 and #422 into a single update.
Package updates
Breaking changes reviewed
Polyfill 10.0.0 — Six
Directory.*polyfill methods moved fromPolyfill.*static class to C# 14extension(Directory)syntax. This repo does not call anyPolyfill.EnumerateFiles/GetFiles/etc.methods directly, so no code changes needed. The existingLangVersion=previewalready satisfies the C# 14 requirement.Spectre.Console 0.55.0 —
Styleis now a struct;Renderextension method removed. Neither is used in this repo.TUnit 1.24.18 → 1.28.7 — Only breaking change is dropping net6/net7 TFMs, which does not affect this repo (targets net10.0).
Other changes
dependabot.yml: Addedmajorto thenuget-dependenciesgroup so all NuGet updates (major + minor + patch) land in a single PR, preventing future conflicts between major-bump standalone PRs and the minor/patch group PR.dependabot-lockfile.yml: Extended the lock-file regeneration workflow to also trigger fordeps/*branches (previously only ran fordependabot[bot]actor), so CI regenerates lock files for manual dependency update PRs.