Skip to content

ci: use NuGet lock file for deterministic dotnet restore in typespec-vs#10849

Draft
timotheeguerin wants to merge 1 commit into
microsoft:mainfrom
timotheeguerin:fix/dotnet-restore-no-cache
Draft

ci: use NuGet lock file for deterministic dotnet restore in typespec-vs#10849
timotheeguerin wants to merge 1 commit into
microsoft:mainfrom
timotheeguerin:fix/dotnet-restore-no-cache

Conversation

@timotheeguerin
Copy link
Copy Markdown
Member

@timotheeguerin timotheeguerin commented Jun 1, 2026
edited
Loading

Problem

PR #10824 introduced a regression in the publish pipeline where dotnet restore fails with NU1603 errors. CI didn't catch this because NuGet's global packages cache on GitHub Actions runners resolved transitive dependencies from previously cached packages.

Root Cause

Microsoft.VisualStudio.Workspace 17.12.19 declares dependencies on versions that were never published to nuget.org:

  • Microsoft.VisualStudio.Composition >= 17.10.39 (doesn't exist; 17.10.37 → 17.11.13)
  • Microsoft.VisualStudio.Shell.15.0 >= 17.10.40224 (doesn't exist; jumps to 17.11.40262)

This is a known VS SDK packaging issue. NuGet resolves to higher versions but emits NU1603, which errors out due to TreatWarningsAsErrors.

Fix

  1. Lock file for deterministic CI restores: Add RestorePackagesWithLockFile + commit packages.lock.json + use --locked-mode in CI/publish pipelines. This ensures resolution is validated at dev time (when updating the lock file) and CI uses exact pinned versions.

  2. Suppress NU1603 on affected packages: Add NoWarn="NU1603" to the Workspace and Workspace.VSIntegration PackageReferences — targeted suppression for this known VS SDK issue.

Changes

  • packages/typespec-vs/src/Microsoft.TypeSpec.VS.csproj: Add RestorePackagesWithLockFile, add NoWarn="NU1603" to Workspace refs
  • packages/typespec-vs/src/packages.lock.json: New lock file (committed)
  • .github/workflows/core-ci.yml: Use dotnet restore --locked-mode
  • eng/tsp-core/pipelines/templates/install.yml: Use dotnet restore --locked-mode
  • .gitignore: Exception for the NuGet lock file

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 1, 2026
edited
Loading

❌ There is undocummented changes. Run chronus add to add a changeset or click here.

The following packages have changes but are not documented.

  • typespec-vs
Show changes

@timotheeguerin timotheeguerin force-pushed the fix/dotnet-restore-no-cache branch from c59e1d2 to f495a0b Compare June 1, 2026 14:43
@timotheeguerin timotheeguerin changed the title ci: add --no-cache to dotnet restore to prevent stale NuGet resolution ci: use NuGet lock file for deterministic dotnet restore in typespec-vs Jun 1, 2026
@microsoft-github-policy-service microsoft-github-policy-service Bot added the ide Issues for VS, VSCode, Monaco, etc. label Jun 1, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jun 1, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/typespec-vs@10849

commit: 65b728e

@timotheeguerin timotheeguerin force-pushed the fix/dotnet-restore-no-cache branch from f495a0b to 3687486 Compare June 1, 2026 14:56
@azure-sdk-automation
Copy link
Copy Markdown

azure-sdk-automation Bot commented Jun 1, 2026
edited
Loading

You can try these changes here

🛝 Playground 🌐 Website 🛝 VSCode Extension

@timotheeguerin
ci: use NuGet lock file for deterministic dotnet restore in typespec-vs
65b728e 
Add packages.lock.json and use --locked-mode in CI to ensure
deterministic NuGet package resolution that matches what developers
see locally, preventing cache-induced discrepancies between CI and
publish agents.

Also fix NU1603 warnings from Microsoft.VisualStudio.Workspace
transitive dependencies by adding NoWarn on the affected packages.
The declared minimum versions (17.10.39, 17.10.40224) were never
published to nuget.org — this is a known VS SDK packaging issue.

Changes:
- Add RestorePackagesWithLockFile to csproj
- Add NoWarn=NU1603 to Workspace package references
- Commit packages.lock.json
- Use dotnet restore --locked-mode in CI and publish pipelines
- Add .gitignore exception for the lock file
@timotheeguerin timotheeguerin force-pushed the fix/dotnet-restore-no-cache branch from 3687486 to 65b728e Compare June 1, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RodgeFu RodgeFu Awaiting requested review from RodgeFu RodgeFu will be requested when the pull request is marked ready for review RodgeFu is a code owner

@lirenhe lirenhe Awaiting requested review from lirenhe lirenhe will be requested when the pull request is marked ready for review lirenhe is a code owner

@bterlson bterlson Awaiting requested review from bterlson bterlson will be requested when the pull request is marked ready for review bterlson is a code owner

@markcowl markcowl Awaiting requested review from markcowl markcowl will be requested when the pull request is marked ready for review markcowl is a code owner

@witemple-msft witemple-msft Awaiting requested review from witemple-msft witemple-msft will be requested when the pull request is marked ready for review witemple-msft is a code owner

@iscai-msft iscai-msft Awaiting requested review from iscai-msft iscai-msft will be requested when the pull request is marked ready for review iscai-msft is a code owner

@catalinaperalta catalinaperalta Awaiting requested review from catalinaperalta catalinaperalta will be requested when the pull request is marked ready for review catalinaperalta is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

eng ide Issues for VS, VSCode, Monaco, etc.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timotheeguerin