Update package lock, enforce locked restore in CI

[snovak7]

Closes #30

Summary by CodeRabbit

• Chores
  • Updated build workflow to use SDK version from configuration file and enabled caching for improved build performance.
  • Adjusted build properties to improve package restore reliability and centralized package version management for consistency in continuous integration environments.
  • Restricted SDK usage to stable releases only.
  • Added a lock file to ensure consistent dependency versions for code analysis tools.

[coderabbitai]

Walkthrough

The changes introduce caching for NuGet package restores in the GitHub Actions workflow, centralize package version management, and enforce the use of lock files and stable SDKs in the .NET build process. A lock file is added for a specific analyzer project, and build properties are updated to align with continuous integration best practices.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow .github/workflows/build.yml	Updated .NET SDK setup to use global.json, enabled caching for SDK and dependencies, and set cache invalidation via lock files.
MSBuild Properties Directory.Build.props	Added/modified properties to enable restore locking, central package version management, and CI-specific build behaviors.
SDK Configuration global.json	Changed SDK setting to disallow prerelease versions (allowPrerelease: false).
NuGet Lock File Addition src/Escendit.Tools.CodeAnalysis.NetAnalyzers/packages.lock.json	Added lock file specifying resolved package versions and dependency graph for .NET Standard targets.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions
    participant .NET SDK Setup
    participant MSBuild
    participant NuGet

    GitHub Actions->>.NET SDK Setup: Read SDK version from global.json
    .NET SDK Setup->>.NET SDK Setup: Enable cache (based on packages.lock.json)
    GitHub Actions->>MSBuild: Start build with CI properties
    MSBuild->>NuGet: Restore packages (locked mode if CI)
    NuGet-->>MSBuild: Use packages.lock.json for dependency resolution
    MSBuild-->>GitHub Actions: Build completes with locked dependencies

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Enable cache capability with NuGet Restore (#30)	✅
Build should be based on a lock file (if present) (#30)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes found.

Poem

In the meadow where lock files grow,
The rabbit hops with caches in tow.
CI winds blow, dependencies freeze,
Stable SDKs put minds at ease.
Packages locked, builds run fast—
This carrot’s for code that’s built to last! 🥕

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 30-enable-cache-capability-with-nuget-restore

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

global.json (1)

4-5: Confirm rollForward strategy to avoid unintended SDK jumps

With allowPrerelease now false, consider narrowing rollForward to avoid silently moving to a future major SDK on dev machines.

Apply this diff if you prefer staying within 9.x feature bands:

-    "rollForward": "latestMajor",
+    "rollForward": "latestFeature",

.github/workflows/build.yml (1)

32-34: Broaden cache key inputs to reflect central package/version changes

Include central mgmt and config files so the NuGet cache invalidates when inputs change (e.g., Directory.Packages.props, NuGet.config, global.json).

Apply this diff:

         with:
           global-json-file: global.json
           cache: 'true'
-          cache-dependency-path: '**/packages.lock.json'
+          cache-dependency-path: |
+            **/packages.lock.json
+            **/Directory.Packages.props
+            **/nuget.config
+            global.json

Additionally, consider making restore explicitly locked (the MSBuild property should already do it via CI=true, but this is belt-and-suspenders):

- run: dotnet restore
+ run: dotnet restore --locked-mode

Directory.Build.props (1)

3-6: CI-locked restore looks good; optionally add static graph for faster restores

Locked mode + lock files in CI is correct. For larger solutions, enabling static graph can speed restores.

   <PropertyGroup>
     <RestoreLockedMode Condition="'$(CI)' == 'true'">true</RestoreLockedMode>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
+    <RestoreUseStaticGraphEvaluation>true</RestoreUseStaticGraphEvaluation>
   </PropertyGroup>

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5403184 and 85bafd3.

📒 Files selected for processing (4)

• .github/workflows/build.yml (1 hunks)
• Directory.Build.props (1 hunks)
• global.json (1 hunks)
• src/Escendit.Tools.CodeAnalysis.NetAnalyzers/packages.lock.json (1 hunks)

🔇 Additional comments (3)

src/Escendit.Tools.CodeAnalysis.NetAnalyzers/packages.lock.json (1)

1-35: All lock files and central package versions verified

• Directory.Packages.props exists and includes
  <PackageVersion Include="Escendit.Tools.Branding" Version="1.2.0"/>.
• Every .csproj has a corresponding packages.lock.json in its project directory.

RestoreLockedMode will succeed in CI.

Directory.Build.props (2)

11-12: CI metadata property is appropriate

Setting ContinuousIntegrationBuild in CI is a good practice; it helps with deterministic/source-linked builds.

---

13-16: Central package management verified

• Directory.Packages.props exists at the repo root and contains a <PackageVersion Include="Escendit.Tools.Branding" Version="1.2.0" />.
• No missing central version was found for Escendit.Tools.Branding.

Everything referenced in your projects is centrally versioned. To further lock down transitive dependencies, you can enable transitive pinning:

<PropertyGroup>
  <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
  <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>