Replace nuget-config packageSources while preserving mappings#58
Replace nuget-config packageSources while preserving mappings#58travisbader wants to merge 1 commit into
Conversation
Previously the convention replaced the entire file, which destroyed repo-specific packageSourceMapping entries. The new behavior uses XmlDocument to surgically replace only the packageSources element, leaving all other sections (packageSourceMapping, activePackageSource, etc.) intact. Also adds <clear /> and the Faithlife Azure feed to the published template so repos start with the correct baseline.
travisbader
changed the title
travisbader
changed the title
travisbader
changed the title
| <?xml version="1.0" encoding="utf-8"?> | ||
| <configuration> | ||
| <packageSources> | ||
| <clear /> |
There was a problem hiding this comment.
Copilot's recommendation:
Without , NuGet inherits any machine-level or user-level package sources configured in global NuGet.config files. This can cause builds to resolve packages from unexpected sources, making builds non-reproducible across machines. ensures only the explicitly listed sources are used.
There was a problem hiding this comment.
I hate this because I can't use local package feeds. Strongly opposed.
|
@ejball can you please add me as an editor on this repo and take a look at this PR please. I suspect we may have omitted Faithlife Azure because we don't want it in a public repo, but I am unsure where it belongs if not here. Open to other / better ideas of how to approach this if you have them. |
|
Don't use package source mappings; just disable the NU1507 warning. |
So much simpler. Thanks |
2 participants
The
nuget-configconvention replaced the entirenuget.configfile on any mismatch. Repos that have a<packageSourceMapping>section (required when using Azure Artifacts) would have it silently destroyed every time the convention ran.This came up in the LogosCompilerService repo: https://github.com/LogosBible/LogosCompilerService/blob/master/nuget.config
Why not just bake all mappings into the convention?
We could as an alternative approach, but it would introduce quite a bit of noise about unrelated dependencies across all our repos. There are many different private packages.
OrdersApi.*,RoyaltyApi.*,Argus.*AccountingApi.*,titanic,Faithlife.AiApi.*Proclaim.*,ProclaimSignalR.*,SubscriptionsApi.v1.ClientWhat changed
convention.ps1— Instead of a byte-for-byte file comparison and full replacement, the convention now usesXmlDocumentto compare and replace only the<packageSources>element. All other sections (<packageSourceMapping>,<activePackageSource>, etc.) are left untouched.files/nuget.config— The published template now includes<clear />and the Faithlife Azure Artifacts feed.Why
<clear />?Without
<clear />, NuGet inherits any machine-level or user-level package sources configured in globalNuGet.configfiles. This can cause builds to resolve packages from unexpected sources, making builds non-reproducible across machines.<clear />ensures only the explicitly listed sources are used.