Prevent NuGet audit warnings from failing the CI builds (Lombiq Technologies: OCORE-184) #16317
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…it warning" This reverts commit e8f8937.
hishamco
requested changes
Jun 17, 2024
.github/workflows/pr_ci.yml
Outdated
Comment on lines
28
to
31
| # We disable NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. | ||
| # Security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds that | ||
| # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as | ||
| # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. |
There was a problem hiding this comment.
Suggested change
| # We disable NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. | |
| # Security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds that | |
| # treat warnings as errors could break anytime, without us changing the code. This prevents that. Treaing them as | |
| # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. | |
| # We disable NuGet audit warnings, see https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904. | |
| # Security issues being discovered in NuGet packages we use can happen at any time, and thus all our CI builds that | |
| # treat warnings as errors that could break anytime, without us changing the code. This prevents that. Treating them as | |
| # warnings and other better approaches don't work, see https://github.com/OrchardCMS/OrchardCore/pull/16317. |
hishamco
approved these changes
Jun 17, 2024
This was referenced Jul 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NuGet security audit warnings should still show up in VS, and also in CI builds, but as warnings.
Formerly, due to CI builds treating warnings as errors (to prevent introducing new build warnings) these also failed CI builds. This is a problem because security issues being discovered in NuGet packages we use can happen any time, and thus all our CI builds could break anytime, without us changing the code
These warnings should still be addressed ASAP, of course, but they shouldn't block all other development. After #16284 this will happen automatically.
I tried to do this in a way that we still see the warning even in CI builds but couldn't succeed.
FYI what does NOT prevent these warnings from being treated as errors:
<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>in any or all of the files below (though it should work from aDirectory.Build.props, see Solution level NuGetAuditLevel settings NuGet/Home#13022).I also tried changing these two to include
$(WarningsNotAsErrors);but that didn't help:This only works when set in a csproj file, the one of the project that has an offending dependency. This obviously doesn't scale.
dotnet build:/p:WarningsNotAsErrors=NU1902,-warnNotAsError:NU1902,/warnaserror-:NU1902or-warnaserror-:NU1902(old switch, is not accepted at all),-warnAsMessage:NU1902,/property:WarningsNotAsErrors=NU1902.