Skip to content

feat(ci): add Dependabot NuGet configuration for net481-safe dependency updates#341

Merged
drmoisan merged 2 commits into
mainfrom
feature/dependabot-net481-support-340
Jul 16, 2026
Merged

feat(ci): add Dependabot NuGet configuration for net481-safe dependency updates#341
drmoisan merged 2 commits into
mainfrom
feature/dependabot-net481-support-340

Conversation

@drmoisan

@drmoisan drmoisan commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Suggested title

feat(ci): add Dependabot NuGet configuration for net481-safe dependency updates

Summary

  • Adds .github/dependabot.yml, enabling the nuget package ecosystem across all 16 packages.config project directories via directories: ["/*"].
  • Adds a semver-major-scoped ignore safety net on eight Microsoft .NET-runtime-aligned package families (Microsoft.Extensions.*, Microsoft.Bcl.*, System.Text.Json, System.Drawing.Common, Microsoft.Graph*, Apache.Arrow*, Microsoft.Data.Analysis, Microsoft.ML*) so automated updates cannot introduce a .NET Framework 4.8.1 (net481) incompatibility; minor/patch updates, including security patches, are unaffected.
  • Groups updates into four buckets (analyzers-dev-deps, test-frameworks, microsoft-extensions-and-bcl, graph-identity-telemetry) so shared-package updates arrive as one PR per group instead of one PR per directory.
  • Sets a weekly update schedule with open-pull-requests-limit: 10.
  • Adds a new README.md section, "Dependency updates (Dependabot)", documenting the configuration and its rationale, with a corresponding ## Contents entry.
  • Adds the feature's planning/spec/research/evidence documentation under docs/features/active/2026-07-16-dependabot-net481-support-340/ and a task-researcher memory entry.
  • No production .cs/.csproj files are touched; no target-framework-moniker element changes.

Why

The repository has no automated dependency-update tooling. NuGet package versions across all 16 packages.config-based project directories are updated manually, so known-vulnerable or stale dependency versions can persist unnoticed (user-story.md, Problem/Why).

Every production project is fixed to .NET Framework 4.8.1. Any automation introduced to solve the staleness problem must not itself become a source of framework-incompatible breakage, since the maintainer has no path to move these projects off net481 in the near term (user-story.md, Problem/Why). Dependabot has no native "TFM-aware ignore" primitive; per the feature's research, no currently-published version of any package referenced in this repo's 16 packages.config files has dropped net481 support — a verified negative finding, not an assumption — so the compatibility safety net is implemented as a semver-major-scoped ignore rule set on the Microsoft .NET-runtime-aligned package families (spec.md, Constraints & Risks).

Dependabot's NuGet updater is documented to be unable to update an indirect/transitive dependency independently of its parent, and packages.config carries no lockfile, which further motivates the grouped, ignore-scoped configuration rather than an unconstrained one (spec.md, Behavior).

What Changed

CI / tooling configuration

  • .github/dependabot.yml (new, 62 lines): version: 2; one updates: entry with package-ecosystem: "nuget"; directories: ["/*"]; schedule.interval: "weekly"; open-pull-requests-limit: 10; four groups buckets using patterns and group-by: "dependency-name"; an ignore list scoping eight Microsoft .NET-runtime-aligned package families to update-types: ["version-update:semver-major"].

Documentation

  • README.md: new "Dependency updates (Dependabot)" section (per spec AC-12) plus a corresponding ## Contents entry.

Feature planning/process artifacts (docs/features/active/2026-07-16-dependabot-net481-support-340/)

  • issue.md, spec.md, user-story.md, plan.2026-07-16T15-56.md, research/2026-07-16T16-10-dependabot-net481-support-research.md.
  • evidence/baseline/, evidence/qa-gates/, evidence/other/ — baseline capture, AC-2/AC-4/AC-10/YAML-validity check evidence, and the AC-5/AC-11 deferred-note and plan-completion-summary records.
  • .claude/agent-memory/task-researcher/MEMORY.md and project_dependabot_net481_340.md — task-researcher memory entry for this feature.

No .cs, .csproj, .props, or .targets files are added or modified.

Architecture / How It Fits Together

.github/dependabot.yml is consumed directly by GitHub's hosted Dependabot service; there is no in-repo code path or entry point involved. The single nuget ecosystem entry scans every top-level directory (directories: ["/*"]) for packages.config files, applies the ignore safety net when evaluating candidate versions, buckets matching packages into the four groups, and opens grouped pull requests on the configured weekly schedule, capped at 10 concurrently open PRs. The README.md section is documentation only and does not change any runtime or build behavior.

Verification

Completed (from plan/evidence artifacts in this feature folder):

  • Baseline confirmed: .github/dependabot.yml did not exist prior to this change; README.md had no Dependency updates (Dependabot) entry (plan P0-T4, P0-T5; evidence/baseline/pre-change-state.2026-07-16T15-56.md).
  • packages.config directory enumeration performed (Get-ChildItem -Path . -Filter packages.config -Recurse) and recorded as evidence supporting AC-3/AC-4 (evidence/qa-gates/ac4-packages-config-enumeration.2026-07-16T15-56.md).
  • YAML validity checked (python -c "import yaml; yaml.safe_load(...)") (evidence/qa-gates/yaml-validity.2026-07-16T15-56.md).
  • Schema/structure review of the nuget update entry against the Dependabot v2 options reference (evidence/qa-gates/ac2-schema-structure-review.2026-07-16T15-56.md).
  • Diff review confirming zero .csproj/TFM-declaring element modifications (evidence/qa-gates/ac10-diff-review.2026-07-16T15-56.md).
  • Feature-review completed with zero blocking findings (policy-audit, code-review, feature-audit artifacts present in the feature folder, per task context).
  • AC-1 through AC-4, AC-6 through AC-10, and AC-12 are checked off in spec.md and user-story.md.

Recommended (not part of this PR's automated toolchain — config/documentation-only change; no C# code, so the CSharpier/analyzer/nullable/MSTest toolchain does not apply):

  • Not verified in this PR: post-merge, confirm via Insights → Dependency graph → Dependabot (or the "Recent update jobs" log) that at least one of the 16 directories is scanned and produces a dependency list (AC-11, deferred/manual by design).

Backward Compatibility / Migration Notes

  • No breaking changes. No existing file's target framework moniker or .csproj content is modified (AC-10).
  • No production code is added, removed, or renamed.
  • This is a net-new configuration file and a documentation addition only.

Risks and Mitigations

  • Risk: The directories: ["/*"] glob could under-match relative to an explicit 16-entry directory list, leaving some packages.config directories unscanned.
    Mitigation: AC-5 is a pre-decided fallback: if the post-merge AC-11 check shows Dependabot scanning fewer directories than expected, the config is corrected in a follow-up commit to an explicit 16-entry directories: list, removing the glob. This is documented as the only acceptable resolution path (spec.md, AC-5) and is intentionally deferred rather than blocking this merge.
  • Risk: An automated dependency update could propose a package version that drops .NET Framework 4.8.1 support, which the project cannot recover from without an out-of-scope framework migration.
    Mitigation: The ignore list scopes eight Microsoft .NET-runtime-aligned package families to semver-major updates only; per the feature's research, no currently-published version of any referenced package has dropped net481 support (a verified negative finding). Minor/patch updates, including security patches, remain unaffected (AC-6, AC-7).
  • Risk: AC-11 (post-merge Dependabot Insights confirmation) is a manual, human-performed step not covered by any automated gate in this PR.
    Mitigation: Recorded as a deferred, tracked item in the feature's evidence (ac5-ac11-deferred-note.2026-07-16T15-56.md); orchestrator-resolved as a non-blocking scope change. The feature is not considered fully verified until AC-11 passes or the AC-5 fallback has been applied and re-checked.

Review Guide

Suggested order:

  1. .github/dependabot.yml — the sole functional change; review directories, ignore, groups, and schedule values against spec.md AC-1–AC-9.
  2. README.md — new documentation section; confirm it matches AC-12's required content points.
  3. docs/features/active/2026-07-16-dependabot-net481-support-340/spec.md and user-story.md — acceptance-criteria source of truth.
  4. docs/features/active/2026-07-16-dependabot-net481-support-340/research/2026-07-16T16-10-dependabot-net481-support-research.md — technical basis for the ignore safety net and directory-scoping decision.
  5. evidence/ subfolders — supporting verification records for AC-2, AC-4, AC-10, and YAML validity.

No mechanical moves/renames and no core logic changes are present in this diff (17 files changed, 961 insertions(+), 0 deletions(-); 16 Markdown files and 1 YAML file).

Follow-ups

  • AC-11: after merge, a maintainer must manually confirm via GitHub's Insights → Dependency graph → Dependabot tab that at least one of the 16 directories is scanned and produces a dependency list.
  • AC-5: if AC-11 shows under-coverage (fewer directories scanned than expected), a follow-up commit must replace directories: ["/*"] with the explicit 16-entry directory list documented in the spec's Appendix A.

GitHub Auto-close

drmoisan added 2 commits July 16, 2026 16:36
- Add .github/dependabot.yml with weekly NuGet ecosystem updates
- Group dependencies by type: analyzers, test frameworks, Microsoft packages, Graph/Identity/Telemetry
- Apply semver-major ignore rules for .NET Framework 4.8.1 compatibility protection
- Document configuration rationale, directory scoping, and post-merge verification in README

Refs: #340
…upport

Records the policy-audit, code-review, and feature-audit produced by the
feature-review pass (zero blocking findings) so the branch's audit trail
is complete before merge.

Refs: #340
@drmoisan
drmoisan merged commit 136c0cd into main Jul 16, 2026
2 checks passed
@drmoisan
drmoisan deleted the feature/dependabot-net481-support-340 branch July 16, 2026 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: dependabot-net481-support

1 participant