Bump the microsoftdotnet group with 3 updates

[dependabot]

Bumps the microsoftdotnet group with 3 updates: Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.Helix.Sdk and Microsoft.DotNet.SharedFramework.Sdk.

Updates Microsoft.DotNet.Arcade.Sdk from 8.0.0-beta.24113.2 to 8.0.0-beta.24123.1

Commits

• See full diff in compare view

Updates Microsoft.DotNet.Helix.Sdk from 8.0.0-beta.24113.2 to 8.0.0-beta.24123.1

Commits

• See full diff in compare view

Updates Microsoft.DotNet.SharedFramework.Sdk from 8.0.0-beta.24113.2 to 8.0.0-beta.24123.1

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/2502)

[danmoseley]

@joperezr I'm not sure whether it's ok for me to merge this or these are rows that maestro should update?

[eerhardt]

I don't think dependabot should be updating just one of these. I think we should let maestro do it on the normal "update arcade" schedule. Like #2231.

[joperezr]

Correct, we should disable updating Arcade produced packages. Arcade's release cycles are usually like this:

1. Check in a change in dotnet/arcade.
2. do an official build, and produce new packages.
3. Add these packages to the "Validation" channel.
4. Run a series of validation steps, that will effectively test this arcade build against different repos to ensure things are working as expected.
5. Only when all of those validation pass, then promote those packages to the "latest" channel.
6. Once the packages are in the latest channel, create PRs in all repos that are subscribed so they ingest this new version.

Because of the way that dependabot works, it will detect that there are new packages from point # 2, which means it will always try to create PRs to bump the versions before they have passed validation. For this reason, it's better to just disable/exclude these packages from dependabot's monitoring, and just allow regular dependency flow to manage them.

[danmoseley]

Ok sounds good I'll close this and look into disabling for them.
Does this apply to all of global.json? Should I have merged the code coverage tool updates?

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

[joperezr]

Does this apply to all of global.json? Should I have merged the code coverage tool updates?

Not really, essentially we want dependabot to skip anything that is getting updated via dpendency flow. For Aspire, that means any package that comes from dotnet/arcade, dotnet/extensions, microsoft/usvc-apiserver (which is dcp), dotnet/aspnetcore, and dotnet/runtime. When unclear if something is using dependency flow or not, a good rule of thumb that should work is to try to run darc get-asset --name <package_name> and if you get some results back, it means that this package is using dependency flow and likely something we don't want dependabot to update.