From e1f01c8aa3588d77ac6a9493c33dac945be67cdc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 02:55:35 +0000 Subject: [PATCH 1/3] Bump the actions-deps group with 5 updates (#140) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps the actions-deps group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.1` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.6.2` | `3.0.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `1.12.0` | `3.2.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.5.0` | `3.1.0` | Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v7...v7.0.1

Commits

Updates `actions/download-artifact` from 7.0.0 to 8.0.1
Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: https://github.com/actions/download-artifact/compare/v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: https://github.com/actions/download-artifact/compare/v7...v8.0.0

Commits

Updates `softprops/action-gh-release` from 2.6.2 to 3.0.0
Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

2.6.2

What's Changed

Other Changes 🔄

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Commits

Updates `actions/create-github-app-token` from 1.12.0 to 3.2.0
Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

Bug Fixes

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

Features

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

... (truncated)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

Bug Fixes

Commits

Updates `dependabot/fetch-metadata` from 2.5.0 to 3.1.0
Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

New Contributors

Full Changelog: https://github.com/dependabot/fetch-metadata/compare/v3...v3.1.0

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-library-task.yml | 2 +- .github/workflows/build-release-task.yml | 4 ++-- .github/workflows/merge-bot-pull-request.yml | 8 ++++---- .github/workflows/run-codegen-pull-request-task.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-library-task.yml b/.github/workflows/build-library-task.yml index c762d33..d4a5860 100644 --- a/.github/workflows/build-library-task.yml +++ b/.github/workflows/build-library-task.yml @@ -70,7 +70,7 @@ jobs: - name: Upload build artifacts step id: artifact-upload-step - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: library-build path: ${{ runner.temp }}/${{ env.PROJECT_ARTIFACT }} diff --git a/.github/workflows/build-release-task.yml b/.github/workflows/build-release-task.yml index a845259..1062fd9 100644 --- a/.github/workflows/build-release-task.yml +++ b/.github/workflows/build-release-task.yml @@ -41,7 +41,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download library build artifacts step - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: artifact-ids: ${{ needs.build-library.outputs.artifact-id }} path: ./Publish @@ -53,7 +53,7 @@ jobs: # built the artifact, leaving "Browse files" and `git checkout ` # pointing at unrelated code. - name: Create GitHub release step - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: generate_release_notes: true tag_name: ${{ needs.get-version.outputs.SemVer2 }} diff --git a/.github/workflows/merge-bot-pull-request.yml b/.github/workflows/merge-bot-pull-request.yml index d2ed4f4..d31883e 100644 --- a/.github/workflows/merge-bot-pull-request.yml +++ b/.github/workflows/merge-bot-pull-request.yml @@ -86,14 +86,14 @@ jobs: - name: Generate GitHub App token step id: app-token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.CODEGEN_APP_CLIENT_ID }} private-key: ${{ secrets.CODEGEN_APP_PRIVATE_KEY }} - name: Get dependabot metadata step id: metadata - uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" @@ -149,7 +149,7 @@ jobs: - name: Generate GitHub App token step id: app-token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.CODEGEN_APP_CLIENT_ID }} private-key: ${{ secrets.CODEGEN_APP_PRIVATE_KEY }} @@ -202,7 +202,7 @@ jobs: # origin, not by event actor), and the restricted GITHUB_TOKEN # is read-only. Same App token pattern as the other merge jobs. id: app-token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.CODEGEN_APP_CLIENT_ID }} private-key: ${{ secrets.CODEGEN_APP_PRIVATE_KEY }} diff --git a/.github/workflows/run-codegen-pull-request-task.yml b/.github/workflows/run-codegen-pull-request-task.yml index 51648fd..122c536 100644 --- a/.github/workflows/run-codegen-pull-request-task.yml +++ b/.github/workflows/run-codegen-pull-request-task.yml @@ -44,7 +44,7 @@ jobs: # guard), which previously required a close/reopen dance under a PAT # to nudge the auto-merge workflow — that dance is gone. id: app-token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.CODEGEN_APP_CLIENT_ID }} private-key: ${{ secrets.CODEGEN_APP_PRIVATE_KEY }} From 377b7c0b67d8501257f8d438d665f7bfe2e32454 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 14:45:33 +0000 Subject: [PATCH 2/3] Bump the nuget-deps group with 4 updates (#141) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated [Microsoft.Extensions.Http.Resilience](https://github.com/dotnet/extensions) from 10.5.0 to 10.6.0.
Release notes _Sourced from [Microsoft.Extensions.Http.Resilience's releases](https://github.com/dotnet/extensions/releases)._ ## 10.6.0 Version 10.6.0 stabilizes the response continuation token and background-response APIs in Microsoft.Extensions.AI.Abstractions. Most other AI work for May shipped in 10.5.1; this monthly release rolls those changes up alongside dependency updates and a small Resource Monitoring cleanup. ## Experimental API Changes ### Now Stable * ResponseContinuationToken and background-response APIs are now stable (previously `MEAI001`) #​7512 ## What's Changed ### AI * Stabilize ResponseContinuationToken / background-response APIs #​7512 by @​jozkee (co-authored by @​Copilot) ## Repository Infrastructure Updates * Update version to 10.6.0 #​7458 by @​jeffhandley * [main] Update dependencies from dotnet/arcade #​7451 * Bump follow-redirects from 1.15.11 to 1.16.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport #​7469 * Merge release/10.5 into main #​7470 by @​jeffhandley * Bump microsoft.visualstudio.slngen.tool from 12.0.13 to 12.0.32 #​7484 * Bump postcss from 8.5.9 to 8.5.12 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7494 * Bump dotnet-reportgenerator-globaltool from 5.5.7 to 5.5.9 #​7504 * Rename release-notes skill to write-release-notes #​7511 by @​jeffhandley (co-authored by @​Copilot) ## Acknowledgements * @​wtgodbe @​tarekgh @​peterwald @​JeremyLikness @​eiriktsarpalis @​ericstj @​evgenyfedorov2 reviewed pull requests **Full Changelog**: https://github.com/dotnet/extensions/compare/v10.5.2...v10.6.0 ## 10.5.2 This patch release ships a single fix to `Microsoft.Extensions.VectorData.Abstractions`, correcting `StorageName` resolution when external serialization is enabled. `Microsoft.Extensions.VectorData.ConformanceTests`, `Microsoft.Extensions.AI.Abstractions`, `Microsoft.Extensions.AI`, and `Microsoft.Extensions.AI.OpenAI` are published alongside it for version coherency — they contain no code changes from 10.5.1. ## Packages in this release | Package | Version | | --- | --- | | Microsoft.Extensions.VectorData.Abstractions | 10.5.2 | | Microsoft.Extensions.VectorData.ConformanceTests | 10.5.2 | | Microsoft.Extensions.AI.Abstractions | 10.5.2 | | Microsoft.Extensions.AI | 10.5.2 | | Microsoft.Extensions.AI.OpenAI | 10.5.2 | ## What's Changed ### Microsoft.Extensions.VectorData.Abstractions - Minor fixes to MEVD.Abstractions: correct `StorageName` behavior when external serialization is enabled, and disable a warning for `net462`. (by @​roji in [#​7475](https://github.com/dotnet/extensions/pull/7475)) **Full Changelog**: https://github.com/dotnet/extensions/compare/v10.5.1...v10.5.2 ## 10.5.1 Version 10.5.1 of the Microsoft.Extensions.AI packages stabilizes CodeInterpreter, WebSearch, and ImageGeneration tool content types. The release adds new experimental tool search and OpenAI request policy hooks. And the OpenTelemetry gen-ai semantic conventions are updated to align with v1.41. The 'aiagent-webapi' project template in Microsoft.Agents.AI.ProjectTemplates is updated to align with v1.3.0 of Agent Framework, updating the OpenTelemetry dependencies within the template projects as well. ## Packages in this release | Package | Version | |---------|---------| | Microsoft.Extensions.AI | 10.5.1 | | Microsoft.Extensions.AI.Abstractions | 10.5.1 | | Microsoft.Extensions.AI.OpenAI | 10.5.1 | | Microsoft.Extensions.AI.Templates | 10.5.1-preview.3.26251.3 | | Microsoft.Agents.AI.ProjectTemplates | 1.3.0-preview.1.26251.3 | ## Experimental API Changes ### Now Stable The following types previously emitted the `MEAI001` experimental diagnostic and are now stable. * CodeInterpreter and WebSearch tool content types are now stable #​7493 * `CodeInterpreterToolCallContent` * `CodeInterpreterToolResultContent` * `WebSearchToolCallContent` * `WebSearchToolResultContent` * ImageGeneration tool content types and tool are now stable #​7476 * `ImageGenerationToolCallContent` * `ImageGenerationToolResultContent` * `HostedImageGenerationTool` * `ImageGenerationOptions` * `ImageGenerationResponseFormat` (the `Hosted` enum value remains experimental) * `IImageGenerator` and the rest of the image generation infrastructure also remain experimental ### New Experimental APIs The following new APIs emit the `MEAI001` experimental diagnostic. * New experimental API: `HostedToolSearchTool` with `DeferredTools` for tool-search-driven deferred tool loading #​7471 * New experimental API: `OpenAIRequestPolicies` extension hook for appending `System.ClientModel.PipelinePolicy` instances to outgoing OpenAI requests #​7495 ### Breaking Changes to Experimental APIs * `WebSearchToolResultContent.Results` was renamed to `Outputs` as part of the stabilization in #​7493, aligning with `CodeInterpreterToolResultContent.Outputs`. The original `Results` property was included in version 10.4.0 and 10.5.0; this is a binary breaking change and consumers need to update to consume the updated property. ```diff WebSearchToolResultContent content = ...; - IList? items = content.Results; + IList? items = content.Outputs; ``` ... (truncated) Commits viewable in [compare view](https://github.com/dotnet/extensions/compare/v10.5.0...v10.6.0).
Updated [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/dotnet) from 10.0.7 to 10.0.8.
Release notes _Sourced from [Microsoft.Extensions.Logging.Abstractions's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
Updated [Microsoft.SourceLink.GitHub](https://github.com/dotnet/dotnet) from 10.0.203 to 10.0.300.
Release notes _Sourced from [Microsoft.SourceLink.GitHub's releases](https://github.com/dotnet/dotnet/releases)._ ## 10.0.300 You can build .NET 10.0 from the repository by cloning the release tag `v10.0.300` and following the build instructions in the [main README.md](https://github.com/dotnet/dotnet/blob/v10.0.300/README.md#building). Alternatively, you can build from the sources attached to this release directly. More information on this process can be found in the [dotnet/dotnet repository](https://github.com/dotnet/dotnet/blob/v10.0.300/README.md#building-from-released-sources). Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023 ## 10.0.204 You can build .NET 10.0 from the repository by cloning the release tag `v10.0.204` and following the build instructions in the [main README.md](https://github.com/dotnet/dotnet/blob/v10.0.204/README.md#building). Alternatively, you can build from the sources attached to this release directly. More information on this process can be found in the [dotnet/dotnet repository](https://github.com/dotnet/dotnet/blob/v10.0.204/README.md#building-from-released-sources). Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023 Commits viewable in [compare view](https://github.com/dotnet/dotnet/compare/v10.0.203...v10.0.300).
Updated [System.CommandLine](https://github.com/dotnet/dotnet) from 2.0.7 to 2.0.8.
Release notes _Sourced from [System.CommandLine's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pieter Viljoen --- Directory.Packages.props | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index a4f52c4..893b9f3 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -1,16 +1,16 @@ - - + + - + - + From 0f69a1b0a04d671ed9e6eeed2b28626fe71f1b4e Mon Sep 17 00:00:00 2001 From: Pieter Viljoen Date: Wed, 13 May 2026 07:58:21 -0700 Subject: [PATCH 3/3] Document develop ruleset omitting branch-up-to-date check (#143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Updates the [`AGENTS.md`](./AGENTS.md) "Branching Model" section to reflect that the develop ruleset's `strict_required_status_checks_policy` was flipped from `true` to `false` server-side today (rule id 12277308). - Replaces the bullet that said *develop keeps the up-to-date check on, only main omits it* with a two-part bullet covering both rulesets and their distinct reasons (main: graph-reachability after every merge release; develop: bot auto-merge race-proofing). - Adds a do-not-reintroduce warning and threads the relaxed-flag rationale through the parallel-bots bullet so a future template sync can't quietly put the flag back. ## Why [PR #141](https://github.com/ptr727/LanguageTags/pull/141) sat OPEN with all checks green and auto-merge armed because a sibling Dependabot PR (#140) against develop merged ~10 seconds after #141 opened, pushing #141 into `mergeStateStatus: BEHIND`. Auto-merge cannot fire while the strict flag is on, and nothing in the merge-bot (see [merge-bot-pull-request.yml](./.github/workflows/merge-bot-pull-request.yml)) auto-updates a bot branch in that window. The matching main-side PR ([#142](https://github.com/ptr727/LanguageTags/pull/142)) merged cleanly because main's ruleset already had strict off — that asymmetry is the smoking gun. ## Upstream template The yesterday-synced ProjectTemplate ruleset has the same `strict_required_status_checks_policy: true` on develop. Filed [ptr727/ProjectTemplate#82](https://github.com/ptr727/ProjectTemplate/issues/82) so the template gets the matching change and downstream consumers don't reintroduce the flag on their next sync. ## Scope Docs only. The actual ruleset flip was applied server-side and is already verifiable via `gh api repos/ptr727/LanguageTags/rules/branches/develop` → `strict_required_status_checks_policy: false`. PR #141 itself was unblocked separately (`gh api -X PUT .../pulls/141/update-branch`, re-arm auto-merge, merged at 14:45:33Z). ## Test plan - [ ] Copilot review on the current head — no factual / phrasing pushback. - [ ] `Check pull request workflow status` green. - [ ] Next pair of same-day Dependabot PRs against develop both auto-merge without anyone touching `gh pr update-branch`. (Will surface organically on the next daily run.) --- AGENTS.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index e7d2102..606435e 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -19,8 +19,10 @@ This file is the canonical reference for cross-cutting AI-agent and workflow rul - `develop` → `main` is **merge-commit only** (no squash, no rebase). Merge commits preserve develop's commit list as a real second-parent reference on main, which is what makes the "release on every push" model attribute releases to the develop commits that produced them. Branch protection enforces this: the develop ruleset allows only `squash`, the main ruleset allows only `merge`. - All commits on both branches must be cryptographically signed (SSH or GPG). Squash and merge commits created via the GitHub UI are signed by GitHub's web-flow key. - **`develop` is forward-only — no `main → develop` back-merges.** The develop ruleset's squash-only setting physically blocks merge commits on develop. Historical back-merge commits visible in `git log` predate this rule and must not be repeated. -- **Main ruleset intentionally omits "Require branches to be up to date before merging".** This GitHub branch-protection check is graph-based — it asks whether main's tip commit is reachable from develop, not whether the two branches have the same content. After any develop → main release, main's tip is a brand-new merge commit that develop's history doesn't contain. Forward-only develop never adds it (no back-merge of main into develop), so the check would fail on every subsequent release. The develop ruleset keeps the "up to date" check on (it's normal hygiene for feature → develop merges); only the main ruleset omits it. -- **Bots (Dependabot and codegen) target both `main` and `develop` in parallel.** [`.github/dependabot.yml`](./.github/dependabot.yml) duplicates every ecosystem entry (one per branch) and [`.github/workflows/run-codegen-pull-request-task.yml`](./.github/workflows/run-codegen-pull-request-task.yml) runs as a matrix over both branches with branch names `codegen-main` and `codegen-develop`. Each branch absorbs its own bot PRs independently, so neither falls behind, and the forward-only rule still holds (nothing is back-merged from main to develop — both branches receive their updates directly). The merge-bot ([`.github/workflows/merge-bot-pull-request.yml`](./.github/workflows/merge-bot-pull-request.yml)) dispatches `--squash` or `--merge` from each PR's base ref via a `case` statement so the form matches the ruleset on either base. Dependabot **security** PRs (CVE-driven) always open against the repo default branch (`main`) regardless of `target-branch` — the same `case` statement covers them. +- **Both rulesets intentionally omit "Require branches to be up to date before merging" (`strict_required_status_checks_policy: false`), for two distinct reasons:** + - *Main* — the check is graph-based; it asks whether main's tip commit is reachable from develop, not whether the two branches have the same content. After any develop → main release, main's tip is a brand-new merge commit that develop's history doesn't contain. Forward-only develop never adds it (no back-merge of main into develop), so the check would fail on every subsequent release. + - *Develop* — bot auto-merge incompatibility. When two bot PRs against develop land in the same minute (e.g. two grouped Dependabot PRs from the same daily run), the first to merge pushes the second into `mergeStateStatus: BEHIND`. GitHub's auto-merge will not fire while the strict flag is on, and nothing in the workflow set auto-updates a bot branch in that window — the merge-bot only *enables* auto-merge on `opened`/`reopened` (see [`merge-bot-pull-request.yml`](./.github/workflows/merge-bot-pull-request.yml)). Real file-level conflicts are still caught textually (`mergeable: CONFLICTING` blocks merge regardless); semantic-but-not-textual conflicts that combine cleanly are caught by the post-merge develop CI run rather than pre-merge. Do not reintroduce the strict flag on develop thinking it's hygiene — it breaks bot auto-merge. +- **Bots (Dependabot and codegen) target both `main` and `develop` in parallel.** [`.github/dependabot.yml`](./.github/dependabot.yml) duplicates every ecosystem entry (one per branch) and [`.github/workflows/run-codegen-pull-request-task.yml`](./.github/workflows/run-codegen-pull-request-task.yml) runs as a matrix over both branches with branch names `codegen-main` and `codegen-develop`. Each branch absorbs its own bot PRs independently, so neither falls behind, and the forward-only rule still holds (nothing is back-merged from main to develop — both branches receive their updates directly). Parallel auto-merge across same-batch bot PRs is race-proof only because both rulesets have the strict "up to date" flag off (see bullet above). The merge-bot ([`.github/workflows/merge-bot-pull-request.yml`](./.github/workflows/merge-bot-pull-request.yml)) dispatches `--squash` or `--merge` from each PR's base ref via a `case` statement so the form matches the ruleset on either base. Dependabot **security** PRs (CVE-driven) always open against the repo default branch (`main`) regardless of `target-branch` — the same `case` statement covers them. - **Maintainer-pushed commits on a bot PR auto-disable auto-merge.** The merge-bot's `merge-dependabot` and `merge-codegen` jobs only fire on `opened` / `reopened` events (auto-merge is enabled exactly once per PR). When a maintainer pushes commits to a bot's branch (a `synchronize` event with an actor that isn't the same bot), the merge-bot's `disable-auto-merge-on-maintainer-push` job fires and calls `gh pr merge --disable-auto`. The maintainer's commits stay in the PR but won't auto-merge with the bot's content; re-enable auto-merge manually (`gh pr merge --auto ` or the GitHub UI) when ready. - **Why parallel dual-target rather than develop-only with eventual flow-through:** consumers (NuGet.org, GitHub releases) pull from `main` directly. A develop-only model would leave `main` running stale code during long-running develop features. Codegen content here is the embedded ISO 639-2/3 + RFC 5646 language data — production-critical and refreshed weekly — so both branches need fresh codegen on their own cadence.