V4.0.5/service update

[gimlichael]

This pull request is a service update focused on keeping package dependencies current and compatible across all supported target frameworks. The changes include dependency upgrades, release note updates, and minor infrastructure improvements.

Dependency Upgrades

• Updated several NuGet package versions in Directory.Packages.props, including Codebelt.Extensions.Swashbuckle.AspNetCore, Codebelt.Extensions.Xunit.App, Cuemon.Core, and Cuemon.Extensions.Hosting, as well as various Microsoft packages for both .NET 9 and .NET 8 target frameworks. [1] [2]

Release Documentation

• Added release notes for version 4.0.5 in CHANGELOG.md, clarifying this is a service update focused on dependencies.
• Updated release notes in all relevant PackageReleaseNotes.txt files to reflect version 4.0.5 and document the dependency upgrades. [1] [2] [3] [4]

Infrastructure

• Updated the NGINX base image version in .docfx/Dockerfile.docfx to 1.29.1-alpine for improved stability and security.
• Updated the Docker test environment image version in testenvironments.json for .NET 8 and .NET 9 compatibility.

Summary by CodeRabbit

• Chores

  • Upgraded dependencies to the latest compatible patch versions across .NET 9 and .NET 8 targets.
  • Updated doc generation container to use nginx 1.29.1-alpine.
  • Refreshed test runner Docker image to latest patch tags.

• Documentation

  • Added release notes for version 4.0.5 highlighting dependency updates.
  • Updated package release notes for Bootstrapper, Web, Worker, and Console to reflect 4.0.5 availability for .NET 9 and .NET 8 and dependency upgrades.
  • Appended CHANGELOG entry for 4.0.5 (service update focused on package dependencies).

[coderabbitai]

Warning

Rate limit exceeded

@gimlichael has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between c6c8fba and 789780b.

📒 Files selected for processing (1)

• .github/workflows/pipelines.yml (1 hunks)

Walkthrough

Bumps NGINX base image in .docfx Dockerfile, updates dependency versions in Directory.Packages.props for .NET 9 and .NET 8 groups, refreshes Docker test image tag in testenvironments.json, adds a 4.0.5 entry to CHANGELOG.md, and updates four NuGet package release notes to include 4.0.5 with dependency upgrade notes.

Changes

Cohort / File(s)	Summary
DocFX Docker image bump .docfx/Dockerfile.docfx	Updated ARG NGINX_VERSION default from 1.29.0-alpine to 1.29.1-alpine; both stages now use nginx:1.29.1-alpine.
Central package versions Directory.Packages.props	Incremented patch versions for Codebelt and Cuemon packages; bumped Microsoft.* packages under net9 and net8 conditional groups by one patch version. No structural changes.
Release notes updates .nuget/Codebelt.Bootstrapper/PackageReleaseNotes.txt, .nuget/Codebelt.Bootstrapper.Console/PackageReleaseNotes.txt, .nuget/Codebelt.Bootstrapper.Web/PackageReleaseNotes.txt, .nuget/Codebelt.Bootstrapper.Worker/PackageReleaseNotes.txt	Added Version 4.0.5 entries noting availability (.NET 9, .NET 8) and dependency updates; removed prior dependency-change bullets from 4.0.4 where present.
Changelog entry CHANGELOG.md	Added 4.0.5 section dated 2025-09-15 stating a service update focusing on package dependencies.
Test environment image testenvironments.json	Updated Docker-Ubuntu dockerImage tag from net8.0.413-9.0.304 to net8.0.414-9.0.305.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• V4.0.4/service update #16 — Prior service update touching the same files (package versions, test envs, changelog, release notes).
• V4.0.3/service update #15 — Introduced and used ARG NGINX_VERSION in .docfx/Dockerfile.docfx, which this PR increments.
• V3.0.0/rtm #5 — Previous bumps in Directory.Packages.props affecting the same centralized package version declarations.

Poem

A rabbit taps its tiny keys, hop-hop,
NGINX nudged to a fresher stop.
Packages patched, the garden’s neat,
Changelog whispers, tidy and sweet.
Test pods brew with a newer pot—
4.0.5? Ship it. Carrot dot. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "V4.0.5/service update" succinctly identifies the primary intent—a v4.0.5 service update—and directly reflects the PR objectives (dependency upgrades, release notes, and minor infra image bumps), making it clear and scannable for teammates.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

CHANGELOG.md (1)

7-10: Use Keep a Changelog sections for clarity (“Changed”).

Recommend replacing the free-form sentence with a “### Changed” block summarizing deps + infra bumps (props, docfx NGINX, test runner image). Improves scanability and consistency with prior entries.

-## [4.0.5] - 2025-09-15
-
-This is a service update that focuses on package dependencies.
+## [4.0.5] - 2025-09-15
+
+### Changed
+- Updated package versions (see Directory.Packages.props) across .NET 9 and .NET 8 TFMs.
+- DocFX site container: NGINX base image bumped to 1.29.1-alpine.
+- Test environment runner image updated to net8.0.414-9.0.305.

.nuget/Codebelt.Bootstrapper.Worker/PackageReleaseNotes.txt (1)

1-6: Strip BOM (U+FEFF) to avoid invisible-diff churn.

The file starts with a BOM (“Version…”). Prefer UTF‑8 without BOM for text notes to reduce noisy diffs across platforms.

.nuget/Codebelt.Bootstrapper.Console/PackageReleaseNotes.txt (1)

1-6: Remove UTF‑8 BOM.

Same BOM prefix here; drop it to avoid tooling inconsistencies.

.docfx/Dockerfile.docfx (1)

3-5: Eliminate unused “base” stage or reuse it.

The “base” stage is not referenced; final stage starts from a fresh nginx image, making the cleanup in base a no‑op for the output image. Either remove the base stage and do cleanup in final, or FROM base AS final.

-FROM --platform=$BUILDPLATFORM nginx:${NGINX_VERSION} AS base
-RUN rm -rf /usr/share/nginx/html/*
+## Option A: single final stage
+FROM --platform=$BUILDPLATFORM nginx:${NGINX_VERSION} AS final
+RUN rm -rf /usr/share/nginx/html/*
@@
-FROM nginx:${NGINX_VERSION} AS final
-WORKDIR /usr/share/nginx/html
+WORKDIR /usr/share/nginx/html
 COPY --from=build /build/docfx/wwwroot /usr/share/nginx/html

Also applies to: 13-15

.nuget/Codebelt.Bootstrapper.Web/PackageReleaseNotes.txt (1)

1-6: Remove UTF‑8 BOM.

Leading BOM present; remove for consistency across release note files.

.nuget/Codebelt.Bootstrapper/PackageReleaseNotes.txt (1)

1-6: Remove UTF‑8 BOM.

Same minor nit as the other release note files.

Directory.Packages.props (1)

24-30: Consider aligning remaining net8 Microsoft. to the same patch level.*

OpenApi and Razor RC are on 8.0.20; the others remain at earlier patches (8.0.0/8.0.2/8.0.1). Aligning reduces mixed transitive graphs unless you’re pinning intentionally.

   <ItemGroup Condition="$(TargetFramework.StartsWith('net8'))">
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="8.0.20" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="8.0.20" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />
-    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="8.0.20" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.20" />
+    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.20" />
   </ItemGroup>

If those versions are intentionally pinned lower for compatibility, please add an XML comment explaining the constraint.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 308fe14 and c6c8fba.

📒 Files selected for processing (8)

• .docfx/Dockerfile.docfx (1 hunks)
• .nuget/Codebelt.Bootstrapper.Console/PackageReleaseNotes.txt (1 hunks)
• .nuget/Codebelt.Bootstrapper.Web/PackageReleaseNotes.txt (1 hunks)
• .nuget/Codebelt.Bootstrapper.Worker/PackageReleaseNotes.txt (1 hunks)
• .nuget/Codebelt.Bootstrapper/PackageReleaseNotes.txt (1 hunks)
• CHANGELOG.md (1 hunks)
• Directory.Packages.props (2 hunks)
• testenvironments.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: call-build (Debug) / 🛠️ Build

🔇 Additional comments (3)

.docfx/Dockerfile.docfx (1)

1-1: Pin NGINX image to a sha256 digest and verify Alpine package CVEs.

.docfx/Dockerfile.docfx — line 1: replace
ARG NGINX_VERSION=1.29.1-alpine
with a pinned digest (e.g., ARG NGINX_VERSION=nginx@sha256:) to prevent supply‑chain drift. Verify the image before merging: upstream 1.29.1 includes the fix for CVE‑2025‑53859 but Alpine packaging/build options can affect vulnerability status (check Alpine security tracker for CVE‑2025‑23419 and run nginx -V inside the image to inspect enabled modules).

Directory.Packages.props (1)

6-9: No project overrides found for these packages.
Searched the repo for PackageReference Include/Update for Codebelt.Extensions.Swashbuckle.AspNetCore, Codebelt.Extensions.Xunit.App, Cuemon.Core, and Cuemon.Extensions.Hosting that specify a Version attribute or a nested ; no matches found.

testenvironments.json (1)

12-12: Pin Docker image by digest and verify contained SDK/runtime.

Tag net8.0.414-9.0.305 is present; manifest index digest: sha256:be295cf5e17f05364cf87d218aff9ecd99284f336164ea3cdbde7b352d906411 (amd64 platform manifest: sha256:832b9e0d0c153306c75144cb305de2053a681480fdb2b9c5a7bff67452944bc9).

• Update testenvironments.json (line 12) to use the digest:
  "dockerImage": "gimlichael/ubuntu-testrunner@sha256:be295cf5e17f05364cf87d218aff9ecd99284f336164ea3cdbde7b352d906411"
• If you require amd64-only reproducibility, pin to the amd64 manifest digest instead.
• Verify the included .NET SDK/runtime patch levels by fetching the platform manifest + config blob or by pulling the image and running dotnet --info inside the container.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Double-check 9.0.9 is the latest safe patch across the net9 set.

Minor but useful to keep the net9 group in lockstep on the same patch floor if newer service releases exist.

---

🌐 Web query:

What are the latest patch versions for these as of 2025-09-15: Microsoft.AspNetCore.OpenApi, Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation, Microsoft.Extensions.Configuration, Microsoft.Extensions.DependencyInjection.Abstractions, Microsoft.Extensions.Hosting (for .NET 9)?

💡 Result:

As of 2025-09-15 the latest .NET 9 patch versions on NuGet are:

• Microsoft.AspNetCore.OpenApi — 9.0.9. [1]
• Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation — 9.0.8. [2]
• Microsoft.Extensions.Configuration — 9.0.9. [3]
• Microsoft.Extensions.DependencyInjection.Abstractions — 9.0.9. [4]
• Microsoft.Extensions.Hosting — 9.0.8. [5]

Sources: NuGet package pages for each package.

---

Align net9 package versions to NuGet-published patches

Directory.Packages.props (lines 18–22): Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation and Microsoft.Extensions.Hosting are listed as 9.0.9 here but NuGet shows 9.0.8 as the latest for those packages (others are 9.0.9) as of 2025-09-15 — change those two to 9.0.8 or pick a single validated patch floor for all net9 packages to avoid referencing non-existent 9.0.9 versions.

🤖 Prompt for AI Agents

In Directory.Packages.props around lines 18 to 22, two packages
(Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation and
Microsoft.Extensions.Hosting) are pinned to 9.0.9 which NuGet shows as 9.0.8 for
those packages; update those two Version attributes to 9.0.8 (or alternatively
choose one validated patch version and set all net9 package Version entries to
that same patch) so the file only references published NuGet versions and
remains consistent.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.17%. Comparing base (308fe14) to head (789780b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #17   +/-   ##
=======================================
  Coverage   76.17%   76.17%           
=======================================
  Files          20       20           
  Lines         256      256           
  Branches       16       16           
=======================================
  Hits          195      195           
  Misses         61       61           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud