saan800 · saan800 · May 15, 2026 · May 15, 2026 · May 20, 2026
diff --git a/.claude/agent-memory/MEMORY.md b/.claude/agent-memory/MEMORY.md
@@ -0,0 +1,15 @@
+# Agent Memory
+
+## Feedback
+
+### NuGet .snupkg push to NuGet.org
+When reviewing `dotnet nuget push` steps targeting nuget.org, do NOT flag the absence of a separate `*.snupkg` push step. NuGet.org automatically detects and ingests the `.snupkg` symbol package when the corresponding `.nupkg` is pushed.
+
+### Dependabot NuGet PRs and the no-release label
+NuGet Dependabot PRs in `dependabot.yml` intentionally omit the `no-release` label. NuGet dependency bumps are deliberately release-worthy so consumers get updated packages. Do NOT flag this as missing.
+
+### ItemTests.ATest is an intentional placeholder
+The test `ATest` in `examples/MinimalWebApi/tests/MinimalWebApi.Tests.Api/Schema/ItemTests.cs` is a deliberate minimal placeholder — the example project needs at least one unit test to exercise the CI pipeline. Do NOT flag it as trivial, low-quality, or missing real assertions.
+
+### example-nuget-packages.yml is-release-branch: false is intentional
+The hardcoded `is-release-branch: false` in `.github/workflows/example-nuget-packages.yml` is intentional. This example project must never auto-release to NuGet.org. Do NOT flag the commented-out expression or the hardcoded false as an issue.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -55,7 +55,6 @@ updates:
         patterns:
           - "AwesomeAssertions*"
           - "coverlet*"
-          - "FakeItEasy*"
           - "GitHubActionsTestLogger"
           - "xunit*"
         update-types: ["minor", "patch"]
@@ -83,7 +82,6 @@ updates:
         patterns:
           - "AwesomeAssertions*"
           - "coverlet*"
-          - "FakeItEasy*"
           - "GitHubActionsTestLogger"
           - "xunit*"
         update-types: ["minor", "patch"]
diff --git a/.github/workflows/_check-release-eligibility.yml b/.github/workflows/_check-release-eligibility.yml
@@ -3,6 +3,11 @@ name: check-release-eligibility
 on:
   workflow_call:
     inputs:
+      harden-runner-policy:
+        description: "The egress policy for the Harden Runner step. Defaults to 'block'"
+        required: false
+        type: string
+        default: "block"
       is-release-branch:
         description: "If this is a release branch (e.g., main)"
         type: boolean
@@ -13,7 +18,7 @@ on:
         required: false
         default: false
     secrets:
-      GITHUB_ACCESS_TOKEN:
+      GITHUB_TOKEN:
         description: "GitHub token"
         required: true
     outputs:
@@ -31,10 +36,18 @@ jobs:
     outputs:
       should-release: ${{ steps.set-output.outputs.should-release }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          disable-sudo: true
+          egress-policy: ${{ inputs.harden-runner-policy }}
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Determine release eligibility
         id: set-output
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}
           SHA: ${{ github.sha }}
           IS_RELEASE_BRANCH: ${{ inputs.is-release-branch }}
@@ -59,14 +72,22 @@ jobs:
             # Extract PR numbers
             PRS=$(echo "$COMMITS" | grep -oE '#[0-9]+' | sort -u | tr -d '#')
 
-            # Check labels of each PR
-            for pr in $PRS; do
-              LABELS=$(gh api repos/$REPO/pulls/$pr --jq '.labels[].name')
-              if ! echo "$LABELS" | grep -q "no-release"; then
+            if [ -z "$PRS" ]; then
+              # Commits exist but no PR references found - release by default
+              if [ -n "$COMMITS" ]; then
                 should_release=true
-                break
               fi
-            done
+            else
+              # Check labels of each PR
+              for pr in $PRS; do
+                LABELS=$(gh api repos/$REPO/pulls/$pr --jq '.labels[].name')
+                if ! echo "$LABELS" | grep -q "no-release"; then
+                  should_release=true
+                  break
+                fi
+              done
+            fi
           fi
 
           echo "should-release=$should_release" >> $GITHUB_OUTPUT
+          echo "should-release=$should_release"
diff --git a/.github/workflows/_dependabot-auto-approve-and-merge.yml b/.github/workflows/_dependabot-auto-approve-and-merge.yml
@@ -12,8 +12,8 @@ on:
         required: true
         type: string
     secrets:
-      GITHUB_ACCESS_TOKEN:
-        description: "(ie: GITHUB_TOKEN) GitHub token"
+      GITHUB_TOKEN:
+        description: "GitHub token"
         required: true
 
 jobs:
@@ -28,6 +28,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
+          disable-sudo: true
           egress-policy: ${{ inputs.harden-runner-policy }}
 
       - name: Checkout
@@ -40,7 +41,7 @@ jobs:
       - name: Check for merge conflicts
         uses: sv-tools/block-merge-conflicts@911859e7a913f086e9f89db5117e0942690bd64e # v2.0.0
         with:
-          token: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Approve a PR if not already approved
         if: ${{ steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major' }}
@@ -52,7 +53,7 @@ jobs:
           fi
         env:
           PR_URL: ${{ inputs.pr-url}}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   merge:
     runs-on: ubuntu-latest
@@ -64,6 +65,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
+          disable-sudo: true
           egress-policy: ${{ inputs.harden-runner-policy }}
 
       - name: Checkout
@@ -74,4 +76,4 @@ jobs:
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ inputs.pr-url}}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/_dependency-review.yml b/.github/workflows/_dependency-review.yml
@@ -0,0 +1,31 @@
+name: dependency-review
+
+on:
+  workflow_call:
+    inputs:
+      harden-runner-policy:
+        description: "The egress policy for the Harden Runner step. Defaults to 'block'"
+        required: false
+        type: string
+        default: "block"
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          disable-sudo: true
+          egress-policy: ${{ inputs.harden-runner-policy }}
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run dependency review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/.github/workflows/_dotnet-build-test-pack-publish-nuget.yml b/.github/workflows/_dotnet-build-test-pack-publish-nuget.yml
@@ -51,8 +51,8 @@ on:
         required: false
         default: false
     secrets:
-      GITHUB_ACCESS_TOKEN:
-        description: "(ie: GITHUB_TOKEN) GitHub token"
+      GITHUB_TOKEN:
+        description: "GitHub token"
         required: true
       NUGET_API_KEY:
         description: "API key for nuget.org. Required if upload-to-nuget is true"
@@ -62,7 +62,8 @@ on:
         required: false
 
 permissions:
-  contents: read
+  contents: write
+  packages: write
   pull-requests: read
 
 jobs:
@@ -78,10 +79,10 @@ jobs:
       contents: read
       pull-requests: read
     with:
+      harden-runner-policy: ${{ inputs.harden-runner-policy }}
       is-release-branch: ${{ inputs.is-release-branch }}
       force-release: ${{ inputs.force-release }}
-    secrets:
-      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+    secrets: inherit
 
   build-and-test:
     uses: ./.github/workflows/_dotnet-build-and-test.yml
@@ -92,8 +93,7 @@ jobs:
       dotnet-version-matrix: ${{ inputs.dotnet-version-matrix }}
       dotnet-version: ${{ inputs.dotnet-version }}
       codecov-slug: ${{ inputs.codecov-slug }}
-    secrets:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+    secrets: inherit
 
   pack:
     needs:
@@ -126,9 +126,7 @@ jobs:
       num-github-prerelease-packages-to-keep: ${{ inputs.num-github-prerelease-packages-to-keep }}
       upload-to-github: ${{ inputs.is-release-branch == false || needs.check-release-eligibility.outputs.should-release == 'false' }}
       upload-to-nuget: ${{ inputs.is-release-branch == true && needs.check-release-eligibility.outputs.should-release == 'true' }}
-    secrets:
-      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
-      NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
+    secrets: inherit
 
   release:
     needs:
@@ -142,5 +140,4 @@ jobs:
     with:
       harden-runner-policy: ${{ inputs.harden-runner-policy }}
       version: ${{ needs.get-version.outputs.version }}
-    secrets:
-      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+    secrets: inherit
diff --git a/.github/workflows/_dotnet-publish-nuget.yml b/.github/workflows/_dotnet-publish-nuget.yml
@@ -42,8 +42,8 @@ on:
         required: false
         default: false
     secrets:
-      GITHUB_ACCESS_TOKEN:
-        description: "(ie: GITHUB_TOKEN) GitHub token to upload package to GitHub Package Registry. Required if upload-to-github is true"
+      GITHUB_TOKEN:
+        description: "GitHub token to upload package to GitHub Package Registry. Required if upload-to-github is true"
         required: false
       NUGET_API_KEY:
         description: "API key for nuget.org. Required if upload-to-nuget is true"
@@ -95,7 +95,7 @@ jobs:
           dotnet nuget push build-packages/*.nupkg
           --skip-duplicate
           --source https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json
-          --api-key ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          --api-key ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish symbol package(s) to GitHub Package Registry
         if: ${{ inputs.upload-to-github }}
@@ -104,7 +104,7 @@ jobs:
           dotnet nuget push build-packages/*.snupkg
           --skip-duplicate
           --source https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json
-          --api-key ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          --api-key ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish nuget and symbols package(s) to NuGet.org
         if: ${{ inputs.upload-to-nuget }}
@@ -168,7 +168,7 @@ jobs:
       matrix: ${{ fromJson(needs.discover-packages.outputs.matrix) }}
     steps:
       - name: Delete old versions for ${{ matrix.package }}
-        uses: actions/delete-package-versions@v5
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5
         with:
           package-name: ${{ matrix.package }}
           package-type: nuget

diff --git a/.github/workflows/_github-tag-and-release.yml b/.github/workflows/_github-tag-and-release.yml
@@ -13,8 +13,8 @@ on:
         required: true
         type: string
     secrets:
-      GITHUB_ACCESS_TOKEN:
-        description: "(ie: GITHUB_TOKEN) GitHub token to upload tag and release with"
+      GITHUB_TOKEN:
+        description: "GitHub token to upload tag and release with"
         required: true
 
 permissions:
@@ -30,6 +30,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
+          disable-sudo: true
           egress-policy: ${{ inputs.harden-runner-policy }}
 
       - name: Checkout
@@ -42,7 +43,7 @@ jobs:
 
       - name: Tag
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           VERSION="${{ inputs.version }}"
           git tag -a "v$VERSION" -m "Release version $VERSION"
@@ -51,7 +52,7 @@ jobs:
       - name: Github Release
         uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           name: ${{ inputs.version }}
           tag_name: v${{ inputs.version }}

diff --git a/.github/workflows/_pr-labeler.yml b/.github/workflows/_pr-labeler.yml
@@ -9,8 +9,8 @@ on:
         type: string
         default: "block"
     secrets:
-      GITHUB_ACCESS_TOKEN:
-        description: "(ie: GITHUB_TOKEN) GitHub token"
+      GITHUB_TOKEN:
+        description: "GitHub token"
         required: true
 
 permissions:
@@ -37,7 +37,7 @@ jobs:
       - name: Validate PR title
         uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           # Configure which types are allowed (newline-delimited).
           # Default: https://github.com/commitizen/conventional-commit-types
@@ -96,9 +96,9 @@ jobs:
             api.github.com:443
 
       - name: Ensure Labels Exist
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
-          github-token: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const labelConfig = {
               breaking:      { color: "b60205", description: "Introduces a breaking change" },
@@ -111,7 +111,8 @@ jobs:
               "help wanted": { color: "0E8A16", description: "Extra attention is needed" },
               invalid:       { color: "e4e669", description: "This doesn't seem right" },
               misc:          { color: "7057ff", description: "Non-functional changes such as performance, tests and refactoring" },
-              "no-release":  { color: "999999", description: "Changes don't require a release and wont be included in the release notes" },
+              "no-release":  { color: "999999", description: "Changes don't require a release" },
+              "no-release-notes": { color: "999999", description: "Changes wont be included in the release notes" },
               question:      { color: "d876e3", description: "Further information is requested" },
               wontfix:       { color: "ffffff", description: "This will not be worked on" },
             };
@@ -141,9 +142,9 @@ jobs:
             }
 
       - name: Label PR
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
-          github-token: ${{ secrets.GITHUB_ACCESS_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const pr = context.payload.pull_request;
             const title = pr.title.toLowerCase();