From e8f893729fbb769342a0c3f23b3d5e72e8e57b0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 16:38:54 +0200 Subject: [PATCH 01/11] Temporarily downgrading Azure.Identity to produce a NuGet audit warning --- Directory.Packages.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 7d70165aeeb..10f77b5943b 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -18,7 +18,7 @@ - + From 863080ef6c8b51706bf6a2a328ce808b8b2aee51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 16:45:10 +0200 Subject: [PATCH 02/11] Attempting treating NuGet audit warnings as warnings also during CI builds --- Directory.Build.props | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Directory.Build.props b/Directory.Build.props index 658a1de0111..e63b0513ea4 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -53,6 +53,11 @@ $(NoWarn);CA1861 + + NU1901;NU1902;NU1903;NU1904 + From 4f8ef5f1f75fd6957024bbcd86a0a03921b67b72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 17:09:03 +0200 Subject: [PATCH 03/11] Another attempt to not treat NuGet audit warnings as errors --- .github/workflows/pr_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index 4e645136ff5..45632f1cdca 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -26,7 +26,7 @@ jobs: dotnet-version: '8.0.x' - name: Build run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NoWarn=NU1901%3BNU1902%3BNU1903%3BNU1904 - name: Unit Tests run: | dotnet test -c Release --no-build ./test/OrchardCore.Tests/OrchardCore.Tests.csproj From e1c157f40e317a36367d87cb1c1bdf5904c15edf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 17:09:11 +0200 Subject: [PATCH 04/11] Revert "Another attempt to not treat NuGet audit warnings as errors" This reverts commit 4f8ef5f1f75fd6957024bbcd86a0a03921b67b72. --- .github/workflows/pr_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index 45632f1cdca..4e645136ff5 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -26,7 +26,7 @@ jobs: dotnet-version: '8.0.x' - name: Build run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NoWarn=NU1901%3BNU1902%3BNU1903%3BNU1904 + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true - name: Unit Tests run: | dotnet test -c Release --no-build ./test/OrchardCore.Tests/OrchardCore.Tests.csproj From 1529933b6b75ccfd115ea22b6791040c4da8fe9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 17:09:35 +0200 Subject: [PATCH 05/11] Reapply "Another attempt to not treat NuGet audit warnings as errors" This reverts commit e1c157f40e317a36367d87cb1c1bdf5904c15edf. --- .github/workflows/pr_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index 4e645136ff5..45632f1cdca 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -26,7 +26,7 @@ jobs: dotnet-version: '8.0.x' - name: Build run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NoWarn=NU1901%3BNU1902%3BNU1903%3BNU1904 - name: Unit Tests run: | dotnet test -c Release --no-build ./test/OrchardCore.Tests/OrchardCore.Tests.csproj From 9f246c2ffe4cd25ad25c37056b90449548d78da4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 17:09:53 +0200 Subject: [PATCH 06/11] Revert "Attempting treating NuGet audit warnings as warnings also during CI builds" This reverts commit 863080ef6c8b51706bf6a2a328ce808b8b2aee51. --- Directory.Build.props | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Directory.Build.props b/Directory.Build.props index e63b0513ea4..658a1de0111 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -53,11 +53,6 @@ $(NoWarn);CA1861 - - NU1901;NU1902;NU1903;NU1904 - From dc971bf1b2bd0f5e96bce842f310ed9b35e441f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 17:12:59 +0200 Subject: [PATCH 07/11] Comment --- .github/workflows/pr_ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index 45632f1cdca..0b35fc4c44e 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -25,6 +25,10 @@ jobs: with: dotnet-version: '8.0.x' - name: Build + # The NU* ones are NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. + # Security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds that + # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as + # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. run: | dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NoWarn=NU1901%3BNU1902%3BNU1903%3BNU1904 - name: Unit Tests From 59284746c6f495182a0a4f66b7ff07fe31745df3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 19:56:06 +0200 Subject: [PATCH 08/11] Trying NuGetAudit=false --- .github/workflows/pr_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index 0b35fc4c44e..cf7008ad8ce 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -30,7 +30,7 @@ jobs: # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NoWarn=NU1901%3BNU1902%3BNU1903%3BNU1904 + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NuGetAudit=false - name: Unit Tests run: | dotnet test -c Release --no-build ./test/OrchardCore.Tests/OrchardCore.Tests.csproj From 5467155d9758df7408bad3d3f60246a450e5e106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 20:36:41 +0200 Subject: [PATCH 09/11] Disabling NuGet audit for some other builds, docs --- .github/workflows/main_ci.yml | 3 ++- .github/workflows/pr_ci.yml | 2 +- .github/workflows/preview_ci.yml | 3 ++- .github/workflows/release_ci.yml | 2 ++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main_ci.yml b/.github/workflows/main_ci.yml index bee2eb249f5..df4ec642251 100644 --- a/.github/workflows/main_ci.yml +++ b/.github/workflows/main_ci.yml @@ -31,8 +31,9 @@ jobs: with: dotnet-version: '8.0.x' - name: Build + # See pr_ci.yml for the reason why we disable NuGet audit warnings. run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NuGetAudit=false - name: Unit Tests run: | dotnet test -c Release --no-build ./test/OrchardCore.Tests/OrchardCore.Tests.csproj diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index cf7008ad8ce..cf45cadfe05 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -25,7 +25,7 @@ jobs: with: dotnet-version: '8.0.x' - name: Build - # The NU* ones are NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. + # We disable NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. # Security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds that # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. diff --git a/.github/workflows/preview_ci.yml b/.github/workflows/preview_ci.yml index 53de8f9b9e2..8677fc1bf35 100644 --- a/.github/workflows/preview_ci.yml +++ b/.github/workflows/preview_ci.yml @@ -34,8 +34,9 @@ jobs: run: echo "BuildNumber=$(( $GITHUB_RUN_NUMBER + 16368 ))" >> $GITHUB_ENV - name: Build if: steps.check-publish.outputs.should-publish == 'true' + # See pr_ci.yml for the reason why we disable NuGet audit warnings. run: | - dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true + dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NuGetAudit=false - name: Unit Tests if: steps.check-publish.outputs.should-publish == 'true' run: | diff --git a/.github/workflows/release_ci.yml b/.github/workflows/release_ci.yml index 6b9b440c45f..d5027758f34 100644 --- a/.github/workflows/release_ci.yml +++ b/.github/workflows/release_ci.yml @@ -40,6 +40,8 @@ jobs: if: matrix.os == 'ubuntu-latest' run: echo "BuildNumber=$(( $GITHUB_RUN_NUMBER + 15471 ))" >> $GITHUB_ENV - name: Build + # NuGetAudit is intentionally not disabled here like it is for other CI builds, because we need to address any + # vulnerable packages before releasing a new version. run: | dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true -p:Version=${{ steps.get_version.outputs.VERSION }} - name: Unit Tests From 89284ae5dd14579fad6643b68c92a8d182103fc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Thu, 13 Jun 2024 20:37:07 +0200 Subject: [PATCH 10/11] Revert "Temporarily downgrading Azure.Identity to produce a NuGet audit warning" This reverts commit e8f893729fbb769342a0c3f23b3d5e72e8e57b0d. --- Directory.Packages.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 10f77b5943b..7d70165aeeb 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -18,7 +18,7 @@ - + From eee53bc085abc435f646db04a37fbc7b17e75c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 17 Jun 2024 17:15:22 +0200 Subject: [PATCH 11/11] Grammar --- .github/workflows/pr_ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index cf45cadfe05..7c3feb9e102 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -26,8 +26,8 @@ jobs: dotnet-version: '8.0.x' - name: Build # We disable NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. - # Security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds that - # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as + # Security issues being discovered in NuGet packages we use can happen at any time, and thus all our CI builds that + # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treating them as # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. run: | dotnet build -c Release -warnaserror /p:TreatWarningsAsErrors=true /p:RunAnalyzers=true /p:NuGetAudit=false