ci(config): enforce supply chain protections

michaelvolz · michaelvolz · commit 0b3b7aff8ac6 · 2026-04-26T12:14:26.000+02:00
- Enable locked-mode restore to prevent dependency hijacking
- Require package lock files for reproducible builds
- Set signatureValidationMode to accept to allow unsigned
  packages (BenchmarkDotNet, Dapper, MediatR are unsigned)

Refs: NU3004
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -5,6 +5,11 @@
     <Version Condition="$(Version) == ''">0.1.0.0</Version>
   </PropertyGroup>
 
+  <PropertyGroup>
+    <!-- Force locked-mode restore for supply-chain safety. -->
+    <RestoreLockedMode>true</RestoreLockedMode>
+  </PropertyGroup>
+
   <!-- Global Coverage Exclusions -->
   <PropertyGroup>
     <ExcludeFromCodeCoverage>**/Migrations/**;**/obj/**;**/bin/**;**/wwwroot/**;**/node_modules/**</ExcludeFromCodeCoverage>
diff --git a/nuget.config b/nuget.config
@@ -4,9 +4,18 @@
     <clear />
   </fallbackPackageFolders>
 
-  <!-- Optional: also clear any bad package sources -->
   <packageSources>
     <clear />
     <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
   </packageSources>
+
+  <packageSourceMapping>
+    <packageSource key="nuget.org">
+      <package pattern="*" />
+    </packageSource>
+  </packageSourceMapping>
+
+  <config>
+    <add key="signatureValidationMode" value="accept" />
+  </config>
 </configuration>
