chore(ci): add CodeQL, Dependabot, and release-please#43
Conversation
Erlend Ellefsen (erlendellefsen)
commented
Jan 24, 2026
Erlend Ellefsen (erlendellefsen)
commented
- Add CodeQL security scanning (weekly + on C# changes)
- Add Dependabot for NuGet and Actions updates
- Add release-please for automated releases with .csproj version sync
- Improve CI/CD with path filtering, concurrency, and format checking
- Add CODEOWNERS
- Align .csproj version to 1.2.5
There was a problem hiding this comment.
Pull request overview
Adds automated security scanning, dependency update automation, and release automation to improve CI/CD reliability and governance for JsonApiToolkit.
Changes:
- Introduces CodeQL scanning and Dependabot update configuration.
- Adds release-please automation (including csproj version syncing) and updates package version to 1.2.5.
- Improves CI workflow behavior (path filtering, concurrency control, formatting checks) and adds CODEOWNERS.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
docs/docs/upgrade-guide.md |
Adds an upgrade/migration guide tracking versions and planned breaking changes. |
JsonApiToolkit/JsonApiToolkit.csproj |
Updates package version to 1.2.5. |
.github/workflows/release-please.yml |
Adds release-please workflow for automated release PRs/releases. |
.github/workflows/codeql.yml |
Adds CodeQL analysis workflow for C# changes + weekly schedule. |
.github/workflows/ci-cd.yml |
Adds path-ignore filtering, concurrency, and CSharpier formatting checks. |
.github/release.yml |
Removes prior GitHub release notes configuration. |
.github/release-please-config.json |
Adds release-please configuration including csproj version syncing. |
.github/dependabot.yml |
Adds Dependabot config for NuGet and GitHub Actions updates (with grouping). |
.github/CODEOWNERS |
Adds default and workflow-specific code ownership rules. |
.github/.release-please-manifest.json |
Adds release-please manifest tracking current version (1.2.5). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| with: | ||
| token: ${{ steps.app-token.outputs.token }} | ||
| config-file: .github/release-please-config.json | ||
| manifest-file: .github/release-please-manifest.json |
There was a problem hiding this comment.
manifest-file points to .github/release-please-manifest.json, but this PR adds the manifest as .github/.release-please-manifest.json (leading dot). Release-please will fail to start because it can’t find the manifest. Rename the manifest file or update manifest-file to the correct path so they match.
| manifest-file: .github/release-please-manifest.json | |
| manifest-file: .github/.release-please-manifest.json |
| "packages": { | ||
| ".": { | ||
| "release-type": "simple", | ||
| "package-name": "JsonApiToolkit", |
There was a problem hiding this comment.
package-name is set to JsonApiToolkit, but the published NuGet PackageId is Intility.JsonApiToolkit (JsonApiToolkit/JsonApiToolkit.csproj). Using a different name here can lead to confusing release PRs/tags/changelog entries. Consider aligning package-name with the actual package id.
| "package-name": "JsonApiToolkit", | |
| "package-name": "Intility.JsonApiToolkit", |
