Merge branch 'main' into dependabot/nuget/Solutions/BenchmarkDotNet-0…

….13.12

.github/config/pr-autoflow.json

@@ -1,4 +1,4 @@
 {
   "AUTO_MERGE_PACKAGE_WILDCARD_EXPRESSIONS": "[\"Endjin.*\",\"Corvus.*\"]",
-  "AUTO_RELEASE_PACKAGE_WILDCARD_EXPRESSIONS": "[\"Corvus.AzureFunctionsKeepAlive\",\"Corvus.Configuration\",\"Corvus.ContentHandling\",\"Corvus.Deployment\",\"Corvus.DotLiquidAsync\",\"Corvus.EventStore\",\"Corvus.Extensions\",\"Corvus.Extensions.CosmosDb\",\"Corvus.Extensions.Newtonsoft.Json\",\"Corvus.Extensions.System.Text.Json\",\"Corvus.Identity\",\"Corvus.JsonSchema\",\"Corvus.Leasing\",\"Corvus.Monitoring\",\"Corvus.Retry\",\"Corvus.Storage\",\"Corvus.Tenancy\"]"
+  "AUTO_RELEASE_PACKAGE_WILDCARD_EXPRESSIONS": "[\"Corvus.AzureFunctionsKeepAlive\",\"Corvus.Configuration\",\"Corvus.ContentHandling\",\"Corvus.Deployment\",\"Corvus.Deployment.Dataverse\",\"Corvus.DotLiquidAsync\",\"Corvus.EventStore\",\"Corvus.Extensions\",\"Corvus.Extensions.CosmosDb\",\"Corvus.Extensions.Newtonsoft.Json\",\"Corvus.Extensions.System.Text.Json\",\"Corvus.Identity\",\"Corvus.JsonSchema\",\"Corvus.Leasing\",\"Corvus.Monitoring\",\"Corvus.Python\",\"Corvus.Retry\",\"Corvus.Storage\",\"Corvus.Tenancy\"]"
 }

.github/dependabot.yml

@@ -12,13 +12,4 @@ updates:
     microsoft-extensions:
       patterns:
       - Microsoft.Extensions.*
-    corvus:
-      patterns:
-      - Corvus.*
-    marain:
-      patterns:
-      - Marain.*
-    menes:
-      patterns:
-      - Menes.*
 

.github/workflows/auto_release.yml

@@ -12,9 +12,11 @@ jobs:
     steps:
     - name: Lookup default branch name
       id: lookup_default_branch
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         result-encoding: string
         script: |
           const repo = await github.rest.repos.get({
@@ -28,9 +30,11 @@ jobs:
 
     - name: Lookup HEAD commit on default branch
       id: lookup_default_branch_head
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         result-encoding: string
         script: |
           const branch = await github.rest.repos.getBranch({
@@ -50,9 +54,11 @@ jobs:
     steps:
     - name: Check for 'no_release' label on PR
       id: check_for_norelease_label
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
             const labels = await github.rest.issues.listLabelsOnIssue({
               owner: context.payload.repository.owner.login,
@@ -91,9 +97,11 @@ jobs:
     steps:
     - name: Get Open PRs
       id: get_open_pr_list
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         # find all open PRs that are targetting the default branch (i.e. main/master)
         # return their titles, so they can parsed later to determine if they are
         # Dependabot PRs and whether we should wait for them to be auto-merged before
@@ -115,9 +123,11 @@ jobs:
 
     - name: Get 'pending_release' PRs
       id: get_release_pending_pr_list
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           const repoWithOwner = `${context.payload.repository.owner.login}/${context.payload.repository.name}`;
           const pulls = await github.rest.search.issuesAndPullRequests({
@@ -148,7 +158,7 @@ jobs:
         EOF
         echo "is_release_pending : ${{ steps.get_release_pending_pr_list.outputs.is_release_pending }}"
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
     - name: Read pr-autoflow configuration
       id: get_pr_autoflow_config
       uses: endjin/pr-autoflow/actions/read-configuration@v4
@@ -157,8 +167,10 @@ jobs:
 
     - name: Check Human PR
       id: is_human_pr
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           return context.payload.pull_request.user.login != 'dependabot[bot]' && context.payload.pull_request.user.login != 'dependjinbot[bot]'
   
@@ -173,8 +185,10 @@ jobs:
 
     - name: Set Ready for Release
       id: set_ready_for_release
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           return ( '${{ steps.is_human_pr.outputs.result }}' == 'true' || '${{ steps.watch_dependabot_prs.outputs.is_complete }}' == 'True') && '${{ steps.get_release_pending_pr_list.outputs.is_release_pending }}' == 'true'
 
@@ -193,11 +207,11 @@ jobs:
     if: |
       needs.check_ready_to_release.outputs.ready_to_release == 'true'
     steps:
-    - uses: actions/setup-dotnet@v1
+    - uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3    # v4.0.0
       with:
         dotnet-version: '6.x'
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       with:
         # ensure we are creating the release tag on the default branch
         ref: ${{ needs.lookup_default_branch.outputs.branch_name }}
@@ -214,15 +228,17 @@ jobs:
 
     - name: Generate token
       id: generate_token
-      uses: tibdex/github-app-token@v1
+      uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58   # v1.9
       with:
         app_id: ${{ secrets.ENDJIN_BOT_APP_ID }}
         private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }}
 
     - name: Create SemVer tag
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ steps.generate_token.outputs.token }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           const uri_path = '/repos/' + context.payload.repository.owner.login + '/' + context.payload.repository.name + '/git/refs'
           const tag = await github.request(('POST ' + uri_path), {
@@ -234,9 +250,11 @@ jobs:
 
     - name: Remove 'release_pending' label from PRs
       id: remove_pending_release_labels
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: '${{ steps.generate_token.outputs.token }}'
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           core.info('PRs to unlabel: ${{ needs.check_ready_to_release.outputs.pending_release_pr_list }}')
           const pr_list = JSON.parse('${{ needs.check_ready_to_release.outputs.pending_release_pr_list }}')

.github/workflows/build.yml

@@ -0,0 +1,90 @@
+name: build
+on:
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  pull_request:
+    branches:
+    - main
+  workflow_dispatch:
+    inputs:
+      forcePublish:
+        description: When true the Publish stage will always be run, otherwise it only runs for tagged versions.
+        required: false
+        default: false
+        type: boolean
+      skipCleanup:
+        description: When true the pipeline clean-up stage will not be run. For example, the cache used between pipeline stages will be retained.
+        required: false
+        default: false
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  actions: write  # enable cache clean-up
+  checks: write  # enable test result annotations
+  contents: write  # enable creating releases
+  issues: read
+  packages: write  # enable publishing packages
+  pull-requests: write  # enable test result annotations 
+
+jobs:
+  prepareConfig:
+    name: Prepare Configuration
+    runs-on: ubuntu-latest
+    outputs:
+      RESOLVED_ENV_VARS: ${{ steps.prepareEnvVarsAndSecrets.outputs.environmentVariablesYamlBase64 }}
+      RESOLVED_SECRETS: ${{ steps.prepareEnvVarsAndSecrets.outputs.secretsYamlBase64 }}
+    steps:
+    # Declare any environment variables and/or secrets that need to be available inside the build process
+    - uses: endjin/Endjin.RecommendedPractices.GitHubActions/actions/prepare-env-vars-and-secrets@main
+      id: prepareEnvVarsAndSecrets
+      with:
+        # BUILDVAR_NuGetPublishSource:
+        #  When publishing NuGet packages only tagged versions get pushed to nuget.org, otherwise
+        #  they are pushed to GitHub Packages
+        # BUILDVAR_UseAcrTasks:
+        #  Due to the build phases running as separate jobs the container images built via 'docker build'
+        #  in the Package phase are not available to the Publish phase. Therefore, we use ACR Tasks to
+        #  build the images instead.
+        environmentVariablesYaml: |
+          BUILDVAR_NuGetPublishSource: "${{ startsWith(github.ref, 'refs/tags/') && 'https://api.nuget.org/v3/index.json' || 'https://nuget.pkg.github.com/endjin/index.json' }}"
+          BUILDVAR_ContainerRegistryFqdn: endjin.azurecr.io
+          BUILDVAR_UseAcrTasks: true
+        secretsYaml: |
+          NUGET_API_KEY: "${{ startsWith(github.ref, 'refs/tags/') && secrets.ENDJIN_NUGET_APIKEY || secrets.ENDJIN_GITHUB_PUBLISHER_PAT }}"
+
+  build:
+    needs: prepareConfig
+    uses: endjin/Endjin.RecommendedPractices.GitHubActions/.github/workflows/scripted-build-pipeline.yml@main
+    with:
+      netSdkVersion: '8.x'
+      # workflow_dispatch inputs are always strings, the type property is just for the UI
+      forcePublish: ${{ github.event.inputs.forcePublish == 'true' }}
+      skipCleanup: ${{ github.event.inputs.skipCleanup == 'true' }}
+      # These pass arbitrary environment variables to each of the build pipeline phases,
+      # as defined in the 'environmentVariablesYaml' property above.
+      compilePhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }}
+      testPhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }}
+      packagePhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }}
+      publishPhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }}
+    secrets:
+      # Ensures the build pipeline has access to pull images from the ACR and write SBOMs to storage
+      compilePhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_READER_CREDENTIALS }}
+      # Ensures the build pipeline has access to run ACR Tasks
+      packagePhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_PUBLISH_CREDENTIALS }}
+      # Ensures the build pipeline has access to push/re-tag images to the ACR
+      publishPhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_PUBLISH_CREDENTIALS }}
+      # Uncomment the following to pass arbitrary secrets to the required build pipeline phases,
+      # as defined in the 'secretsYaml' property above.  They will be available to the
+      # scripted build process as environment variables.
+      #
+      # compilePhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }}
+      # testPhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }}
+      packagePhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }}
+      publishPhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }}

.github/workflows/dependabot_approve_and_label.yml

@@ -23,7 +23,7 @@ jobs:
       is_auto_release_candidate: ${{ steps.parse_dependabot_pr_autorelease.outputs.is_interesting_package }}
       semver_increment: ${{ steps.parse_dependabot_pr_automerge.outputs.semver_increment }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       - name: Read pr-autoflow configuration
         id: get_pr_autoflow_config
         uses: endjin/pr-autoflow/actions/read-configuration@v4
@@ -79,9 +79,11 @@ jobs:
         if: |
           needs.evaluate_dependabot_pr.outputs.is_auto_merge_candidate == 'True' &&
           (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch')
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
+          retries: 6  # final retry should wait 64 seconds
+          retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
           script: |
             await github.rest.pulls.update({
               owner: context.payload.repository.owner.login,
@@ -97,9 +99,11 @@ jobs:
     steps:
     - name: Check for 'no_release' label on PR
       id: check_for_norelease_label
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
             const labels = await github.rest.issues.listLabelsOnIssue({
               owner: context.payload.repository.owner.login,
@@ -129,7 +133,7 @@ jobs:
       #       the usual 'Action' secrets as this workflow is triggered by Dependabot.
       - name: Generate token
         id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58   # v1.9
         with:
           app_id: ${{ secrets.DEPENDJINBOT_APP_ID }}
           private_key: ${{ secrets.DEPENDJINBOT_PRIVATE_KEY }}
@@ -150,9 +154,11 @@ jobs:
             (github.actor != 'dependabot[bot]' && github.actor != 'dependjinbot[bot]') ||
             needs.evaluate_dependabot_pr.outputs.is_auto_release_candidate == 'True'
           )
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
+          retries: 6  # final retry should wait 64 seconds
+          retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
           script: |
             await github.rest.issues.addLabels({
               owner: context.payload.repository.owner.login,

GitVersion.yml

@@ -15,10 +15,9 @@ branches:
     tag: dependabot
     source-branches:
     - develop
-    - master
+    - main
     - release
     - feature
     - support
     - hotfix
-next-version: "1.6"
-
+next-version: "2.0"

Solutions/Corvus.Storage.Azure.BlobStorage/Corvus.Storage.Azure.BlobStorage.csproj

@@ -3,8 +3,7 @@
   <Import Project="$(EndjinProjectPropsPath)" Condition="$(EndjinProjectPropsPath) != ''" />
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
-
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
   </PropertyGroup>
 
@@ -16,8 +15,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.16.0" />
-    <PackageReference Include="Endjin.RecommendedPractices.GitHub" Version="2.1.7">
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.23.0" />
+    <PackageReference Include="Corvus.Identity.Azure" Version="4.0.0" />
+    <PackageReference Include="Endjin.RecommendedPractices.GitHub" Version="2.1.14">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
@@ -28,3 +28,4 @@
   </ItemGroup>
 
 </Project>
+

Solutions/Corvus.Storage.Azure.Cosmos/Corvus.Storage.Azure.Cosmos.csproj

@@ -3,7 +3,7 @@
   <Import Project="$(EndjinProjectPropsPath)" Condition="$(EndjinProjectPropsPath) != ''" />
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
@@ -16,15 +16,19 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Endjin.RecommendedPractices.GitHub" Version="2.1.7">
+    <PackageReference Include="Corvus.Identity.Azure" Version="4.0.0" />
+    <PackageReference Include="Endjin.RecommendedPractices.GitHub" Version="2.1.14">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.33.0" />
+    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.0" />
+    <!--Explicit reference required by Microsoft.Azure.Cosmos -->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\Corvus.Storage.Common\Corvus.Storage.Common.csproj" />
   </ItemGroup>
 
 </Project>
+

Solutions/Corvus.Storage.Azure.Cosmos/Corvus/Storage/Azure/Cosmos/Internal/CosmosContainerConfigurationValidation.cs

@@ -32,7 +32,7 @@ internal static class CosmosContainerConfigurationValidation
             return "must not be null";
         }
 
-        HashSet<CosmosContainerConfigurationTypes> indicatedConfigTypes = new();
+        HashSet<CosmosContainerConfigurationTypes> indicatedConfigTypes = [];
 
         bool accountUriPresent = !string.IsNullOrWhiteSpace(configuration.AccountUri);
         bool databasePresent = !string.IsNullOrWhiteSpace(configuration.Database);