Upgrade to .NET 10 and update dependencies (#179)

* Upgrade to .NET 10. Pin action versions

* Update dependencies and configuration for .NET 10 compatibility

* Lint

* Fix linting issues

---------

Co-authored-by: ondfisk <[email protected]>

Author: ondfisk

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/dotnet:1-9.0-bookworm
+FROM mcr.microsoft.com/devcontainers/dotnet:10.0
 
 USER vscode
 
@@ -7,10 +7,3 @@ RUN dotnet tool install --global dotnet-ef \
 
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD dotnet --info > /dev/null || exit 1
-
-# [Optional] Uncomment this section to install additional OS packages.
-# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
-#     && apt-get -y install --no-install-recommends <your-package-list-here>
-
-# [Optional] Uncomment this line to install global node packages.
-# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1

.devcontainer/devcontainer.json

@@ -5,13 +5,14 @@
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
   "features": {
     "ghcr.io/devcontainers/features/azure-cli:1": {
-      "version": "2.72.0",
+      "version": "latest",
       "installBicep": true,
       "extensions": "serviceconnector-passwordless"
     },
     "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
     "ghcr.io/devcontainers/features/dotnet:2": {
-      "version": "lts"
+      "version": "10.0",
+      "additionalVersions": "8.0, 9.0"
     },
     "ghcr.io/devcontainers/features/github-cli:1": {}
   },

.github/linters/zizmor.yaml

@@ -39,14 +39,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Setup .NET
-        uses: actions/[email protected]
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
         with:
-          dotnet-version: 9.0.x
+          dotnet-version: 10.0.x
 
       - name: Restore Packages
         run: dotnet restore
@@ -64,7 +64,7 @@ jobs:
         run: dotnet ef migrations script --idempotent --project src/MovieApi/ --startup-project src/MovieApi/ --no-build --output migrate.sql
 
       - name: Upload Database Migrations Script
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: migrate.sql
           path: migrate.sql
@@ -89,12 +89,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Setup .NET
-        uses: actions/[email protected]
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
         with:
           dotnet-version: 9.0.x
 
@@ -110,14 +110,14 @@ jobs:
           GITHUB_SHA: ${{ github.sha }}
 
       - name: Azure Login
-        uses: azure/[email protected]
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Get Variables
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             DATABASE_USER=${{ secrets.AZURE_CLIENT_DISPLAY_NAME }}
@@ -148,20 +148,20 @@ jobs:
           IMAGE_TAG: ${{ github.ref == 'refs/heads/main' && 'latest' || 'test' }}
 
       - name: Download Database Migrations Script
-        uses: actions/[email protected]
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: migrate.sql
           path: .
 
       - name: Apply Database Migrations
-        uses: azure/postgresql@v1
+        uses: azure/postgresql@59401b7890419c83f372819a1c37f5aecf57ac92 # v1.2.0
         with:
           connection-string: ${{ env.CONNECTION_STRING }}
           server-name: ${{ env.POSTGRESQL_SERVER }}
           plsql-file: migrate.sql
 
       - name: Deploy Web App Container
-        uses: azure/[email protected]
+        uses: azure/webapps-deploy@657f0700ea5214d56a0400d8ac5e8023c963d25d # v3.0.6
         with:
           app-name: ${{ env.WEBAPP }}
           slot-name: staging
@@ -184,20 +184,20 @@ jobs:
 
     steps:
       - name: Download Database Migrations Script
-        uses: actions/[email protected]
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: migrate.sql
           path: .
 
       - name: Azure Login
-        uses: azure/[email protected]
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Get Variables
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             DATABASE_USER=${{ secrets.AZURE_CLIENT_DISPLAY_NAME }}
@@ -213,14 +213,14 @@ jobs:
             echo "CONNECTION_STRING=$CONNECTION_STRING" >> "$GITHUB_ENV"
 
       - name: Apply Database Migrations
-        uses: azure/postgresql@v1
+        uses: azure/postgresql@59401b7890419c83f372819a1c37f5aecf57ac92 # v1.2.0
         with:
           connection-string: ${{ env.CONNECTION_STRING }}
           server-name: ${{ env.POSTGRESQL_SERVER }}
           plsql-file: migrate.sql
 
       - name: Swap Staging With Production
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             az webapp deployment slot swap --resource-group "$RESOURCE_GROUP" --name "$WEBAPP" --slot staging

.github/workflows/application.yml

@@ -0,0 +1,30 @@
+---
+name: Dependency Review
+
+"on":
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions: {}
+
+jobs:
+  review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run Dependency Review
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        with:
+          comment-summary-in-pr: true

.github/workflows/dependency-review.yml

@@ -34,26 +34,26 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Lint Bicep Files
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             az bicep lint --file infrastructure/main.bicep
             az bicep lint --file infrastructure/main.bicepparam
 
       - name: Build Bicep Files
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             az bicep build --file infrastructure/main.bicep --outfile infrastructure/main.json
             az bicep build-params --file infrastructure/main.bicepparam --outfile infrastructure/main.parameters.json
 
       - name: Upload Artifacts
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: infrastructure
           path: infrastructure/*.json
@@ -71,26 +71,26 @@ jobs:
 
     steps:
       - name: Download Artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: infrastructure
           path: infrastructure/
 
       - name: Azure Login
-        uses: azure/[email protected]
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Create Resource Group
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             az group create --name "$RESOURCE_GROUP" --location "$LOCATION"
 
       - name: Validate ARM Deployment
-        uses: azure/arm-deploy@v2
+        uses: azure/arm-deploy@a1361c2c2cd398621955b16ca32e01c65ea340f5 # v2
         with:
           scope: resourcegroup
           resourceGroupName: ${{ env.RESOURCE_GROUP }}
@@ -99,7 +99,7 @@ jobs:
           deploymentMode: Validate
 
       - name: What-if ARM Deployment
-        uses: azure/arm-deploy@v2
+        uses: azure/arm-deploy@a1361c2c2cd398621955b16ca32e01c65ea340f5 # v2
         with:
           scope: resourcegroup
           resourceGroupName: ${{ env.RESOURCE_GROUP }}
@@ -121,27 +121,27 @@ jobs:
 
     steps:
       - name: Download Artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: infrastructure
           path: infrastructure/
 
       - name: Azure Login
-        uses: azure/[email protected]
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Create Resource Group
-        uses: azure/[email protected]
+        uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
             az group create --name "$RESOURCE_GROUP" --location "$LOCATION"
 
       - name: Deploy Resources
         id: deploy
-        uses: azure/arm-deploy@v2
+        uses: azure/arm-deploy@a1361c2c2cd398621955b16ca32e01c65ea340f5 # v2
         with:
           scope: resourcegroup
           resourceGroupName: ${{ env.RESOURCE_GROUP }}

.github/workflows/infrastructure.yml

@@ -23,21 +23,23 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/[email protected]
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
           persist-credentials: true
 
       - name: Super-Linter
-        uses: super-linter/[email protected]
+        uses: super-linter/super-linter@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_DOTNET_SLN_FORMAT_ANALYZERS: false # Not supported for .NET 10 yet
+          VALIDATE_DOTNET_SLN_FORMAT_STYLE: false # Not supported for .NET 10 yet
           VALIDATE_GIT_COMMITLINT: false
           FIX_BIOME_FORMAT: true
           FIX_BIOME_LINT: true
           FIX_CSHARP: true
-          FIX_DOTNET_SLN_FORMAT_ANALYZERS: true
-          FIX_DOTNET_SLN_FORMAT_STYLE: true
+          # FIX_DOTNET_SLN_FORMAT_ANALYZERS: true
+          # FIX_DOTNET_SLN_FORMAT_STYLE: true
           FIX_DOTNET_SLN_FORMAT_WHITESPACE: true
           FIX_GITHUB_ACTIONS_ZIZMOR: true
           FIX_JSON_PRETTIER: true
@@ -51,7 +53,7 @@ jobs:
 
       - name: Commit and push linting fixes
         if: github.event_name == 'pull_request' && github.ref_name != github.event.repository.default_branch
-        uses: stefanzweifel/[email protected]
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           add_options: --update
           branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}

.github/workflows/lint.yml

@@ -0,0 +1,35 @@
+---
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+"on":
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/**
+  pull_request:
+    branches:
+      - "**"
+    paths:
+      - .github/workflows/**
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          persona: pedantic