From 43c4ac77b479d6386fb841f8b11a60f0b877f43d Mon Sep 17 00:00:00 2001 From: Jonathan Peppers Date: Wed, 27 May 2026 14:37:09 -0500 Subject: [PATCH] [ci] Scope Dependabot NuGet scanning to stable-SDK directories MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot's NuGet job has been failing on main with `dependency_file_not_found` / `MissingFileException`. Root cause: Dependabot's container only ships the previous-stable .NET SDK (currently 10.0) with no Android workload, while `main` always targets the next .NET release. MSBuild evaluation aborts on any `net*-android` csproj, killing the job. Replace `directory: /` with a `directories:` allow-list of folders that build cleanly against the stable SDK with no Android workload: /build-tools, /tools, and /src/Xamarin.Android.Build.Tasks. This is permanent — main will always be one release ahead of Dependabot — so we accept that packages only referenced from net*-android projects won't get automatic update PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c5872848d22..f91ec07e458 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,18 @@ # https://docs.github.com/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/ version: 2 updates: + # NuGet scanning is intentionally scoped to a curated allow-list of + # directories whose projects build against the previous-stable .NET + # SDK (currently net10.0) with no Android workload. `main` always + # targets the next .NET release, so Dependabot's container (which + # only has the stable SDK) cannot evaluate net*-android projects. + # Extend this list when a new non-android-workload project is added + # in a different folder. - package-ecosystem: "nuget" - directory: "/" + directories: + - "/build-tools" + - "/tools" + - "/src/Xamarin.Android.Build.Tasks" schedule: interval: "weekly" - package-ecosystem: "gradle"