Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack

[MattKotsenas]

Bug

Fixes: NuGet/Home#13625

Description

This is a companion PR for dotnet/sourcelink#1248. Once that change lands and sourcelink is emitting the source branch name, this PR consumes that value and sets it to RepositoryBranch as part of NuGet pack.

PR Checklist

• Meaningful title, helpful description and a linked NuGet/Home issue
• Added tests
• Link to an issue or pull request to update docs if this PR changes settings, environment variables, new feature, etc.

[baronfel]

This is pretty much exactly what I was hoping to see 👍

[MattKotsenas]

I'm going to wait to publish this until the SourceLink PR lands in case things change, specifically of interest are:

• The property name
• If the symbolic-ref prefixes are kept

Edit: Published to get eyes / feedback on this; it's still a chance that I'll need to update this if the SourceLink PR change's its property name.

[nkolev92]

Just a question about the potential risk here.

[nkolev92]

For the NuGet shepherd, let's wait for a review from @tmat before merging.

[tmat]

Is there a potential for private info leak if we publish the branch name by default?

For Repository URL we require the project to explicitly set PublishRepositoryUrl.

NuGet.Client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.targets

Lines 292 to 293 in 60974f1

	<!-- The project must specify PublishRepositoryUrl=true in order to publish the URL, in order to prevent inadvertent leak of internal URL. -->
	<RepositoryUrl Condition="'$(RepositoryUrl)' == '' and '$(PublishRepositoryUrl)' == 'true'">$(PrivateRepositoryUrl)</RepositoryUrl>

Branch name might potentially include code names, etc.

[baronfel]

Good point - the commit sha is unique enough to not worry, but the branch could be behind the existing '$(PublishRepositoryUrl)' check (or a similarly named and documented check for the branch).

[MattKotsenas]

@baronfel / @tmat thoughts on re-using PublishRepositoryUrl or creating a new flag? I defer to the experts here.

[baronfel]

Happy to re-use the existing flag, mostly was bringing up the possibility of a new flag for completeness.

[nkolev92]

Would pack even set the repository details if the repository url was never provided?
Like if there's no repository url, but there's a branch.

[MattKotsenas]

Good reminder @nkolev92! I verified both here and with a quick local experiment that when $(PublishRepositoryUrl) is false the whole <repository /> node is omitted from the .nuspec.

@tmat / @baronfel, I believe this means the concern is already addressed? Let me know if there's anything I missed, or if there are any other issues. Thanks!

Edit: This comment is incorrect; see below.

[baronfel]

Perfect, that works for me. That's also the pattern we've used for the SDK Container source control information linkages.

[tmat]

Sounds good. Do we have a test?

[tmat]

Should also add a note to the documentation: https://github.com/dotnet/sourcelink/blob/669979bf371a587c908f732499df0ed883cd5d6c/docs/README.md?plain=1#L44

[MattKotsenas]

We don't have a test covering this part, and when I add one I'm not seeing the same behavior I see from the command line. I'm looking into it, but let's hold off on merging until we understand the difference.

Edit: OK I at least understand the difference. NuGet Package Explorer doesn't show the raw nuspec XML and seems to hide the <repository /> node if the url attribute is missing. Thus, my command line tests were invalid.

[MattKotsenas]

I'm going to go with gating the branch name on the repository URL as suggested above and we can take a look at how that feels.

Edit: Pushed. @tmat, @nkolev92, @baronfel; mind taking another look? Thanks!

[MattKotsenas]

Should also add a note to the documentation: https://github.com/dotnet/sourcelink/blob/669979bf371a587c908f732499df0ed883cd5d6c/docs/README.md?plain=1#L44

Available @ dotnet/sourcelink#1252

[baronfel]

Ok, we've got sourcelink merged and flowing to the dotnet/sdk again, so I think this is good to review+merge!