Merge branch 'main' into ml

Author: T-Gro

.github/workflows/commands.yml

@@ -5,15 +5,45 @@ on:
     types: [created]
 
 jobs:
+  authorize_commenter:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      allowed: ${{ steps.check.outputs.allowed }}
+    steps:
+      - name: Check commenter write access
+        id: check
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const actor = context.payload.comment.user.login;
+            const repo_owner = context.payload.repository.owner.login;
+            const repo_name = context.payload.repository.name;
+            try {
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: repo_owner,
+                repo: repo_name,
+                username: actor
+              });
+              const allowed = ['admin', 'write'].includes(permission.permission);
+              core.setOutput('allowed', allowed ? 'true' : 'false');
+            } catch (e) {
+              core.setOutput('allowed', 'false');
+            }
+
   parsing_job:
+    needs: authorize_commenter
     runs-on: ubuntu-latest
     permissions:
       issues: write  # Allow adding a reaction via the comment-pipeline
       pull-requests: write
     outputs:
       command: ${{ steps.parse.outputs.command }}
       arg: ${{ steps.parse.outputs.arguments }}
-    if: github.event.issue.pull_request
+    if: needs.authorize_commenter.outputs.allowed == 'true' && github.event.issue.pull_request
     steps:
       - name: Parse comment
         id: parse
@@ -27,13 +57,13 @@ jobs:
             /run test-baseline
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-  # This second job by definiton runs user-supplied code - you must NOT elevate its permissions to `write`
-  # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token
-  # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow
-  # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code)
+  # This second job by definition runs user-supplied code - you must NOT elevate its permissions to `write`
   run-parsed-command:
     needs: parsing_job
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     if: needs.parsing_job.outputs.command != ''
     steps:
 
@@ -130,6 +160,19 @@ jobs:
           echo "run_step_outcome=$run_step_outcome" >> $GITHUB_OUTPUT
           echo "hasPatch=$hasPatch" >> $GITHUB_OUTPUT
 
+      - name: Validate patch paths
+        if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
+        run: |
+          # Forbid any .git* paths anywhere
+          if grep -E '^(\+\+\+|---) ' repo.patch | grep -E '(^|/)\.git(/|$)|(^|/)\.git'; then
+            echo "Patch touches .git paths; aborting"; exit 1
+          fi
+
+          # Allow only top-level src/, tests/, vsintegration/ changes
+          if grep -E '^(\+\+\+|---) ' repo.patch | grep -Ev '^(---|\+\+\+) (a|b)/(src|tests|vsintegration)/' | grep -E '^(---|\+\+\+) '; then
+            echo "Patch touches files outside allowed directories (src/tests/vsintegration); aborting"; exit 1
+          fi
+
       - name: Apply and push patch
         if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
         run: |
@@ -142,7 +185,6 @@ jobs:
           echo "Pushing to origin $branch"
           git push origin HEAD:"$branch"
 
-
       - name: Count stats
         id: stats
         if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
@@ -189,8 +231,6 @@ jobs:
         if: always()
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ env.PR_NUMBER }}
         run: |
-          # Use gh CLI to comment with multi-line markdown
           gh pr comment ${{ github.event.issue.number }} \
             --body-file pr_report.md

docs/release-notes/.FSharp.Compiler.Service/10.0.200.md

@@ -2,6 +2,10 @@
 
 * Type relations cache: optimize key generation ([Issue #19116](https://github.com/dotnet/fsharp/issues/18767)) ([PR #19120](https://github.com/dotnet/fsharp/pull/19120))
 
+### Added
+
+* FSharpDiagnostic: add default severity ([#19152](https://github.com/dotnet/fsharp/pull/19152))
+
 ### Breaking Changes
 
 * `SynExpr.LetOrUse` holds `SynLetOrUse`. ([PR #19090](https://github.com/dotnet/fsharp/pull/19090))

docs/release-notes/.FSharp.Compiler.Service/11.0.0.md

@@ -20,6 +20,7 @@
 * Add FSharpCodeCompletionOptions ([PR #19030](https://github.com/dotnet/fsharp/pull/19030))
 * Type checker: recover on checking binding parameter constraints ([#19046](https://github.com/dotnet/fsharp/pull/19046))
 * Debugger: provide breakpoint ranges for short lambdas ([#19067](https://github.com/dotnet/fsharp/pull/19067))
+* FSharpDiagnostic: add default severity ([#19152](https://github.com/dotnet/fsharp/pull/19152))
 
 ### Changed
 

eng/Version.Details.props

@@ -27,7 +27,7 @@ This file should be imported by eng/Versions.props
     <MicrosoftCodeAnalysisFeaturesPackageVersion>5.0.0-2.25480.7</MicrosoftCodeAnalysisFeaturesPackageVersion>
     <MicrosoftVisualStudioLanguageServicesPackageVersion>5.0.0-2.25480.7</MicrosoftVisualStudioLanguageServicesPackageVersion>
     <!-- dotnet/arcade dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25603.2</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25617.1</MicrosoftDotNetArcadeSdkPackageVersion>
     <!-- _git/dotnet-optimization dependencies -->
     <optimizationlinuxarm64MIBCRuntimePackageVersion>1.0.0-prerelease.25502.1</optimizationlinuxarm64MIBCRuntimePackageVersion>
     <optimizationlinuxx64MIBCRuntimePackageVersion>1.0.0-prerelease.25502.1</optimizationlinuxx64MIBCRuntimePackageVersion>

eng/Version.Details.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
-  <Source Uri="https://github.com/dotnet/dotnet" Mapping="fsharp" Sha="29eefe27a350eb8b0bcbababa7863a0d1086295d" BarId="293166" />
+  <Source Uri="https://github.com/dotnet/dotnet" Mapping="fsharp" Sha="5661a2c0a84a3fd32916395b254ce50e5ad7e9fe" BarId="295411" />
   <ProductDependencies>
     <Dependency Name="Microsoft.Build" Version="18.1.0-preview-25515-01">
       <Uri>https://github.com/dotnet/msbuild</Uri>
@@ -76,9 +76,9 @@
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25603.2">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25617.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>9851192f7f7a7ee352358cce2627160fd1f2a54e</Sha>
+      <Sha>47a8a69721dfea57b82121ac1458d2f5bba6abd2</Sha>
     </Dependency>
     <Dependency Name="optimization.windows_nt-x64.MIBC.Runtime" Version="1.0.0-prerelease.25502.1">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-optimization</Uri>

eng/Versions.props

@@ -133,7 +133,7 @@
     <MicrosoftVisualStudioLanguageIntellisenseVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioLanguageIntellisenseVersion>
     <MicrosoftVisualStudioPlatformVSEditorVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioPlatformVSEditorVersion>
     <MicrosoftVisualStudioTextUIWpfVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioTextUIWpfVersion>
-    <NuGetSolutionRestoreManagerInteropVersion>5.6.0</NuGetSolutionRestoreManagerInteropVersion>
+    <NuGetVisualStudioVersion>17.14.0</NuGetVisualStudioVersion>
     <MicrosoftVisualStudioExtensibilityTestingVersion>0.1.800-beta</MicrosoftVisualStudioExtensibilityTestingVersion>
     <MicrosoftVisualStudioExtensibilityTestingSourceGeneratorVersion>$(MicrosoftVisualStudioExtensibilityTestingVersion)</MicrosoftVisualStudioExtensibilityTestingSourceGeneratorVersion>
 

eng/common/core-templates/job/source-index-stage1.yml

@@ -3,7 +3,7 @@ parameters:
   sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci"
   preSteps: []
   binlogPath: artifacts/log/Debug/Build.binlog
-  condition: ''
+  condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
   dependsOn: ''
   pool: ''
   is1ESPipeline: ''
@@ -41,4 +41,4 @@ jobs:
 
   - template: /eng/common/core-templates/steps/source-index-stage1-publish.yml
     parameters:
-      binLogPath: ${{ parameters.binLogPath }}
+      binLogPath: ${{ parameters.binLogPath }}

eng/common/cross/build-rootfs.sh

@@ -72,7 +72,7 @@ __AlpinePackages+=" krb5-dev"
 __AlpinePackages+=" openssl-dev"
 __AlpinePackages+=" zlib-dev"
 
-__FreeBSDBase="13.4-RELEASE"
+__FreeBSDBase="13.5-RELEASE"
 __FreeBSDPkg="1.21.3"
 __FreeBSDABI="13"
 __FreeBSDPackages="libunwind"
@@ -383,7 +383,7 @@ while :; do
             ;;
         freebsd14)
             __CodeName=freebsd
-            __FreeBSDBase="14.2-RELEASE"
+            __FreeBSDBase="14.3-RELEASE"
             __FreeBSDABI="14"
             __SkipUnmount=1
             ;;

eng/common/internal-feed-operations.ps1

@@ -26,7 +26,7 @@ function SetupCredProvider {
   $url = 'https://raw.githubusercontent.com/microsoft/artifacts-credprovider/master/helpers/installcredprovider.ps1'
 
   Write-Host "Writing the contents of 'installcredprovider.ps1' locally..."
-  Invoke-WebRequest $url -OutFile installcredprovider.ps1
+  Invoke-WebRequest $url -UseBasicParsing -OutFile installcredprovider.ps1
 
   Write-Host 'Installing plugin...'
   .\installcredprovider.ps1 -Force

eng/common/post-build/nuget-verification.ps1

@@ -65,7 +65,7 @@ if ($NuGetExePath) {
         Write-Host "Downloading nuget.exe from $nugetExeUrl..."
         $ProgressPreference = 'SilentlyContinue'
         try {
-            Invoke-WebRequest $nugetExeUrl -OutFile $downloadedNuGetExe
+            Invoke-WebRequest $nugetExeUrl -UseBasicParsing -OutFile $downloadedNuGetExe
             $ProgressPreference = 'Continue'
         } catch {
             $ProgressPreference = 'Continue'