chore: bulk package/actions update

(cherry picked from commit 87c54dc)

Author: ChrisMcKee

.github/workflows/ci-build.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: 'Harden Runner'
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
       with:
         egress-policy: audit
 
@@ -39,7 +39,7 @@ jobs:
         fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
 
     - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: 9.0.x
 
@@ -51,7 +51,7 @@ jobs:
       run: dotnet build --configuration Debug --no-restore
 
     - name: Upload Build Artifacts
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: build-artifacts
         path: |
@@ -63,17 +63,17 @@ jobs:
 
     - name: 'Test'
       id: test
-      run: dotnet test --no-build --restore --collect:"XPlat Code Coverage" --logger junit tests/UnitTests/BCrypt.Net.UnitTests.csproj
+      run: dotnet test --restore --collect:"XPlat Code Coverage" --logger junit --configuration Debug
 
     - name: 'Create test summary'
       uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
       with:
-        paths: tests/**/TestResults.xml
+        paths: tests/UnitTests/**/TestResults.xml
         show: "fail, skip"
       if: always()
 
     - name: 'Generate Coverage Reports'
-      uses: danielpalme/ReportGenerator-GitHub-Action@c38c522d4b391c1b0da979cbb2e902c0a252a7dc # 5.4.3
+      uses: danielpalme/ReportGenerator-GitHub-Action@cc137d2b561c02b63ae869ffbe8f68af9d904bf4 # 5.4.6
       with:
         reports: "tests/**/coverage.cobertura.xml"
         targetdir: "${{ github.workspace }}"
@@ -98,7 +98,7 @@ jobs:
         thresholds: "10 30"
 
     - name: Upload Code Coverage Results
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: coverage-results
         path: |
@@ -107,13 +107,13 @@ jobs:
         retention-days: 5
 
     - name: Publish Test Results
-      uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
+      uses: EnricoMi/publish-unit-test-result-action@afb2984f4d89672b2f9d9c13ae23d53779671984 # v2.19.0
       if: always()
       with:
         files: "tests/**/TestResults.xml"
 
     - name: Upload Test Artifacts
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: test-results
         path: "tests/**/TestResults.xml"

.github/workflows/ci-manual-build-test-sign.yml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
       with:
         egress-policy: audit
 
@@ -44,7 +44,7 @@ jobs:
         fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
 
     - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: 9.0.x
 
@@ -77,92 +77,45 @@ jobs:
         Get-ChildItem -Path ${{ env.nupkgDirectory }} -Recurse -Force
 
     - name: Upload unsigned nupkgs
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: build-artifacts
         path: ${{ env.nupkgDirectory }}/*
         retention-days: 7
 
-  sign:
-    name: Sign
-    needs: build
-    runs-on: windows-latest
-    if:  ${{ inputs.perform_sign }} 
-    environment: release
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-    - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
-
-    - name: 'Install Sign CLI'
-      run: dotnet tool install --tool-path ./sign  --prerelease sign
-
-    - name: 'Gather nupkgs from build output'
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-      with:
-        name: build-artifacts
-        path : ${{ env.nupkgDirectory }}
-
-    - name: List assets to be signed
-      shell: pwsh
-      run: >
-        Get-ChildItem -Path ${{ env.nupkgDirectory }} -Include *.nupkg -Recurse -Force
-
-    - name: Authenticate to Azure
-      uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # 2.2.0
-      with:
-        allow-no-subscriptions : true
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Sign
-      shell: pwsh
-      run: >
-        ./sign/sign code azure-key-vault *.nupkg --base-directory ${{ env.nupkgDirectory }} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"
-
-    - name: Upload signed nupkgs
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-      with:
-        name: signed-artifacts
-        path: ${{ env.nupkgDirectory }}/*
-        retention-days: 7
-
-  publish:
-    name: Publish to nuget
-    needs: sign
-    runs-on: ubuntu-latest
-    if:  ${{ inputs.perform_publish }}
-    environment: release
-    permissions:
-      id-token: write
-    steps:
-    - name: 'Harden Runner'
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
-
-    - name: 'Gather nupkgs from signing output'
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-      with:
-        name: signed-artifacts
-        path : ${{ env.nupkgDirectory }}
-
-    - name: List assets to be published
-      shell: pwsh
-      run: >
-        Get-ChildItem -Path ${{ env.nupkgDirectory }} -Filter *.nupkg -Recurse -Force
-
-      # Use --skip-duplicate to prevent errors if a package with the same version already exists.
-      # This allows a retry of a failed workflow, already published packages will be skipped without error.
-    - name: Publish NuGet package
-      shell: pwsh
-      run: >
-        foreach($file in (Get-ChildItem "${{ env.nupkgDirectory }}" -Recurse -Filter *.nupkg)) {
-          dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
-        }
+  # publish:
+  #   name: Publish to nuget
+  #   needs: sign
+  #   runs-on: ubuntu-latest
+  #   if:  ${{ inputs.perform_publish }}
+  #   environment: release
+  #   permissions:
+  #     id-token: write
+  #   steps:
+  #   - name: 'Harden Runner'
+  #     uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+  #     with:
+  #       egress-policy: audit
+
+  #   - name: 'Setup .NET SDK'
+  #     uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+
+  #   - name: 'Gather nupkgs from signing output'
+  #     uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+  #     with:
+  #       name: signed-artifacts
+  #       path : ${{ env.nupkgDirectory }}
+
+  #   - name: List assets to be published
+  #     shell: pwsh
+  #     run: >
+  #       Get-ChildItem -Path ${{ env.nupkgDirectory }} -Filter *.nupkg -Recurse -Force
+
+  #     # Use --skip-duplicate to prevent errors if a package with the same version already exists.
+  #     # This allows a retry of a failed workflow, already published packages will be skipped without error.
+  #   - name: Publish NuGet package
+  #     shell: pwsh
+  #     run: >
+  #       foreach($file in (Get-ChildItem "${{ env.nupkgDirectory }}" -Recurse -Filter *.nupkg)) {
+  #         dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
+  #       }

.github/workflows/codeql-analysis.yml

@@ -49,7 +49,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
       with:
         egress-policy: audit
 
@@ -59,7 +59,7 @@ jobs:
         fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
 
     - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: 9.0.x
 

.github/workflows/dependency-review.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 

.github/workflows/devskim.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
       with:
         egress-policy: audit
     - uses: actions/checkout@v4

.github/workflows/generate-publish-docs.yml

@@ -29,13 +29,18 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
     - name: 'Checkout'
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
 
     - name: 'Setup .NET SDK'
-      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: 9.0.x
 

.github/workflows/markdown-link-check.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 

.github/workflows/upload-coverage-report.yml

@@ -18,17 +18,17 @@ jobs:
       github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
       with:
         egress-policy: audit
 
     - name: 'Download coverage results'
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: coverage-results
 
     - name: Add Code Coverage PR Comment
-      uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+      uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
       if: github.event_name == 'pull_request'
       with:
         recreate: true

Directory.Packages.props

@@ -7,20 +7,20 @@
     <PackageVersion Include="DotNet.ReproducibleBuilds" Version="1.2.25" />
     <PackageVersion Include="Nerdbank.GitVersioning" Version="3.7.115" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageVersion Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
+    <PackageVersion Include="SonarAnalyzer.CSharp" Version="10.9.0.115408" />
     <PackageVersion Include="DotNetAnalyzers.DocumentationAnalyzers" Version="1.0.0-beta.59" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.13.0" />
-    <PackageVersion Include="xunit.v3" Version="1.1.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.2" />
+    <PackageVersion Include="xunit.v3" Version="2.0.2" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.0" />
     <PackageVersion Include="coverlet.collector" Version="6.0.4" />
-    <PackageVersion Include="JunitXml.TestLogger" Version="6.0.0" />
-    <PackageVersion Include="Microsoft.Sbom.Targets" Version="3.0.1" />
+    <PackageVersion Include="JunitXml.TestLogger" Version="6.1.0" />
+    <PackageVersion Include="Microsoft.Sbom.Targets" Version="3.1.0" />
     <PackageVersion Include="Microsoft.CodeCoverage" Version="17.13.0" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'net462'">
-    <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
-    <PackageVersion Include="System.Memory" Version="4.6.0" />
+    <PackageVersion Include="System.Text.RegularExpressions" Version="[4.3,)" />
+    <PackageVersion Include="System.Memory" Version="[4.6,)" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
     <PackageVersion Include="Microsoft.AspNetCore.DataProtection" Version="[9.0,)" />