Add build axis, upload artifacts, restrict to private repox, introduce package locking

Author: nquinquenel

.github/workflows/build-fork.yml

@@ -10,40 +10,112 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  contents: write
+
+env:
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: "true"
+  DOTNET_CLI_TELEMETRY_OPTOUT: "true"
+
 jobs:
-  build:
+  build_windows:
     runs-on: github-windows-latest-s
-    name: Build
-    permissions:
-      id-token: write
-      contents: write
+    name: Build Windows (net472 + net6)
+    steps:
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          version: 2025.7.12
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          clean: "false"
+          fetch-depth: "0"
+
+      - name: 🎁 Get Repox Credentials from Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader username | ARTIFACTORY_USER;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+            development/kv/data/next url | SQS_NEXT_URL;
+            development/kv/data/next token | SQS_NEXT_TOKEN;
+
+      - name: 🔨 Build and Package
+        env:
+          ARTIFACTORY_USER: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }}
+          ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        run: |
+          powershell -File build.ps1 -target Quick -configuration Release
+
+      - name: ⬆️ Upload Windows Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: omnisharp-windows
+          path: artifacts/package/**/omnisharp-*.*
+          if-no-files-found: error
+
+      - name: 🎁 Install SonarScanner
+        env:
+          ARTIFACTORY_USER: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }}
+          ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        run: |
+          dotnet tool install --global dotnet-sonarscanner
+
+      - name: ⚙️ Analyze on SQS Next
+        env:
+          ARTIFACTORY_USER: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }}
+          ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+          SONAR_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQS_NEXT_URL }}
+          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQS_NEXT_TOKEN }}
+        run: |
+          bash .github/workflows/build_scan_dotnet.sh
+
+  build_linux:
+    runs-on: github-ubuntu-latest-s
+    name: Build Linux (mono + net6)
     steps:
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          version: 2025.7.12
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          clean: "false"
+          fetch-depth: "0"
+
+      - name: Install Mono
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ca-certificates gnupg
+          sudo gpg --homedir /tmp --no-default-keyring --keyring /usr/share/keyrings/mono-official-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
+          echo "deb [signed-by=/usr/share/keyrings/mono-official-archive-keyring.gpg] https://download.mono-project.com/repo/ubuntu stable-focal main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
+          sudo apt-get update
+          sudo apt-get install -y mono-complete mono-roslyn msbuild
+          sudo rm -rf /var/lib/apt/lists/*
+
+      - name: 🎁 Get Repox Credentials from Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader username | ARTIFACTORY_USER;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+
+      - name: 🔨 Build and Package
+        env:
+          ARTIFACTORY_USER: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }}
+          ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        run: |
+          chmod +x ./build.sh
+          ./build.sh --target Quick --configuration Release
 
-    - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
-      with:
-        version: 2025.7.12
-
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        clean: "false"
-        fetch-depth: "0"
-
-    - name: 🎁 Get Repox Credentials from Vault
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v3
-      with:
-        secrets: |
-          development/kv/data/next url | SQS_NEXT_URL;
-          development/kv/data/next token | SQS_NEXT_TOKEN;
-
-    - name: 🎁 Install SonarScanner
-      run: |
-        dotnet tool install --global dotnet-sonarscanner
-
-    - name: ⚙️ Build and analyze dotnet project on SQS Next
-      env:
-        SONAR_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQS_NEXT_URL }}
-        SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQS_NEXT_TOKEN }}
-      run: |
-        bash .github/workflows/build_scan_dotnet.sh
+      - name: ⬆️ Upload Linux Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: omnisharp-linux
+          path: artifacts/package/**/omnisharp-*.*
+          if-no-files-found: error

.gitignore

@@ -27,7 +27,10 @@ nuget.exe
 debugSettings.json
 buildlog
 /.vs
-*.lock.json
+# Ignore old project.lock.json but keep packages.lock.*.json for reproducible builds
+project.lock.json
+!packages.lock.windows.json
+!packages.lock.linux.json
 /omnisharp*.tar.gz
 scripts/Omnisharp*
 .msbuild-*/

Directory.Build.props

@@ -3,6 +3,13 @@
     <RepositoryRootDirectory>$(MSBuildThisFileDirectory)</RepositoryRootDirectory>
 
     <RestoreUseStaticGraphEvaluation>true</RestoreUseStaticGraphEvaluation>
+
+    <!-- Enable NuGet package lock files for reproducible builds -->
+    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
+
+    <!-- Use platform-specific lock files -->
+    <NuGetLockFilePath Condition="$([MSBuild]::IsOSPlatform('Windows'))">$(MSBuildProjectDirectory)\packages.lock.windows.json</NuGetLockFilePath>
+    <NuGetLockFilePath Condition="!$([MSBuild]::IsOSPlatform('Windows'))">$(MSBuildProjectDirectory)\packages.lock.linux.json</NuGetLockFilePath>
   </PropertyGroup>
 
   <Import Project="build\Settings.props" />

NuGet.Config

@@ -1,17 +1,53 @@
 <?xml version="1.0" encoding="utf-8"?>
+
 <configuration>
     <packageSources>
         <clear />
-        <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
-        <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
-        <add key="dotnet6" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet6/nuget/v3/index.json" />
-        <add key="dotnet6-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet6-transport/nuget/v3/index.json" />
-        <add key="vs-impl" value="https://pkgs.dev.azure.com/azure-public/vside/_packaging/vs-impl/nuget/v3/index.json" />
-        <add key="OmniSharp" value="https://www.myget.org/F/omnisharp/api/v3/index.json" />
+        <add key="Repox" value="https://repox.jfrog.io/artifactory/api/nuget/v3/nuget/index.json" protocolVersion="3" />
+        <add key="DotnetTools" value="https://repox.jfrog.io/artifactory/api/nuget/v3/dotnet-tools/index.json" protocolVersion="3" />
+        <add key="Dotnet6" value="https://repox.jfrog.io/artifactory/api/nuget/v3/dotnet6/index.json" protocolVersion="3" />
     </packageSources>
+
+    <packageSourceCredentials>
+        <Repox>
+            <add key="Username" value="%ARTIFACTORY_USER%" />
+            <add key="ClearTextPassword" value="%ARTIFACTORY_PASSWORD%" />
+        </Repox>
+        <DotnetTools>
+            <add key="Username" value="%ARTIFACTORY_USER%" />
+            <add key="ClearTextPassword" value="%ARTIFACTORY_PASSWORD%" />
+        </DotnetTools>
+        <Dotnet6>
+            <add key="Username" value="%ARTIFACTORY_USER%" />
+            <add key="ClearTextPassword" value="%ARTIFACTORY_PASSWORD%" />
+        </Dotnet6>
+    </packageSourceCredentials>
+
+    <config>
+        <clear />
+        <add key="signatureValidationMode" value="require" />
+    </config>
+
+    <trustedSigners>
+        <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
+            <certificate fingerprint="0e5f38f57dc1bcc806d8494f4f90fbcedd988b46760709cbeec6f4219aa6157d"
+                         hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+            <certificate fingerprint="5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4"
+                         hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+            <certificate fingerprint="1f4b311d9acc115c8dc8018b5a49e00fce6da8e2855f9f014ca6f34570bc482d"
+                         hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+        </repository>
+        <author name="Microsoft">
+            <!-- Subject Name: CN=Microsoft Corporation, valid from 2023-07-27 -->
+            <certificate fingerprint="566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+            <!-- Subject Name: CN=Microsoft Corporation, valid from: 2020-09-30 -->
+            <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+        </author>
+    </trustedSigners>
+
     <packageSourceMapping>
         <clear />
-        <packageSource key="NuGet">
+        <packageSource key="Repox">
             <package pattern="Antlr4.*" />
             <package pattern="BenchmarkDotNet" />
             <package pattern="BenchmarkDotNet.*" />
@@ -48,15 +84,12 @@
             <!-- Needed for analysis -->
             <package pattern="dotnet-sonarscanner" />
         </packageSource>
-        <packageSource key="dotnet-tools">
+        <packageSource key="DotnetTools">
             <package pattern="microsoft.*" />
             <package pattern="NuGet.*" />
         </packageSource>
-        <packageSource key="dotnet6">
+        <packageSource key="Dotnet6">
             <package pattern="microsoft.*" />
         </packageSource>
     </packageSourceMapping>
-    <disabledPackageSources>
-        <clear />
-    </disabledPackageSources>
 </configuration>

build.cake

@@ -260,11 +260,12 @@ void BuildWithDotNetCli(BuildEnvironment env, string configuration)
 
     settings
         .SetConfiguration(configuration)
+        .WithProperty("RestoreLockedMode", "true") // Enforce NuGet package lock files
         .WithProperty("PackageVersion", env.VersionInfo.NuGetVersion)
         .WithProperty("AssemblyVersion", env.VersionInfo.AssemblySemVer)
         .WithProperty("FileVersion", env.VersionInfo.AssemblySemVer)
         .WithProperty("InformationalVersion", env.VersionInfo.InformationalVersion)
-        .WithProperty("RuntimeFrameworkVersion", "6.0.0-preview.7.21317.1") // Set the minimum runtime to a .NET 6 prerelease so that prerelease SDKs will be considered during rollForward.
+        .WithProperty("RuntimeFrameworkVersion", "6.0.36") // Set the minimum runtime to a .NET 6
         .WithProperty("RollForward", "LatestMajor");
 
     DotNetMSBuild("OmniSharp.sln", settings);
@@ -538,11 +539,12 @@ string PublishBuild(string project, BuildEnvironment env, BuildPlan plan, string
             Configuration = configuration,
             OutputDirectory = outputFolder,
             MSBuildSettings = new DotNetMSBuildSettings()
+                .WithProperty("RestoreLockedMode", "true") // Enforce NuGet package lock files
                 .WithProperty("PackageVersion", env.VersionInfo.NuGetVersion)
                 .WithProperty("AssemblyVersion", env.VersionInfo.AssemblySemVer)
                 .WithProperty("FileVersion", env.VersionInfo.AssemblySemVer)
                 .WithProperty("InformationalVersion", env.VersionInfo.InformationalVersion)
-                .WithProperty("RuntimeFrameworkVersion", "6.0.0-preview.7.21317.1") // Set the minimum runtime to a .NET 6 prerelease so that prerelease SDKs will be considered during rollForward.
+                .WithProperty("RuntimeFrameworkVersion", "6.0.36") // Set the minimum runtime to a .NET 6
                 .WithProperty("RollForward", "LatestMajor"),
             ToolPath = env.DotNetCommand,
             WorkingDirectory = env.WorkingDirectory,
@@ -586,6 +588,7 @@ Task("PublishNuGet")
             OutputDirectory = "./artifacts/nuget/",
             MSBuildSettings = new DotNetMSBuildSettings()
                 .SetConfiguration(configuration)
+                .WithProperty("RestoreLockedMode", "true") // Enforce NuGet package lock files
                 .WithProperty("PackageVersion", env.VersionInfo.NuGetVersion)
                 .WithProperty("AssemblyVersion", env.VersionInfo.AssemblySemVer)
                 .WithProperty("FileVersion", env.VersionInfo.AssemblySemVer)