Merge branch 'main' into test-all-images

.github/workflows/markdownlint.yml

@@ -26,4 +26,4 @@ jobs:
       run: |
         echo "::add-matcher::.github/workflows/markdownlint-problem-matcher.json"
         npm i -g markdownlint-cli
-        markdownlint "**/*.md"
+        markdownlint "**/*.md" -i "eng/readme-templates/*" -i "eng/common/*"

.markdownlint.json

@@ -1,32 +1,16 @@
 {
     "default": true,
+    "MD013": false, // line length
+    "MD024": { // no-duplicate-heading Multiple headings with the same content
+        "siblings_only": true
+    },
     "MD033": false, // no inline HTML
 
     // The following rules are disabled to allow the linter to be enabled.
     // Follow-up work will be done to enable these rules and clean up the violations.
     "MD001": false, // heading-increment Heading levels should only increment by one level at a time 
-    "MD004": false, // ul-style Unordered list style
-    "MD005": false, // list-indent Inconsistent indentation for list items at the same level
-    "MD007": false, // ul-indent Unordered list indentation
-    "MD009": false, // no-trailing-spaces Trailing spaces
-    "MD010": false, // no-hard-tabs Hard tabs
-    "MD011": false, // no-reversed-links Reversed link syntax
-    "MD012": false, // no-multiple-blanks Multiple consecutive blank lines
-    "MD013": false, // line length
-    "MD014": false, // commands-show-output Dollar signs used before commands without showing output
     "MD022": false, // blanks-around-headings Headings should be surrounded by blank lines
-    "MD024": false, // no-duplicate-heading Multiple headings with the same content
     "MD025": false, // single-title/single-h1 Multiple top-level headings in the same document
-    "MD026": false, // no-trailing-punctuation Trailing punctuation in heading
-    "MD028": false, // no-blanks-blockquote Blank line inside blockquote
-    "MD031": false, // blanks-around-fences Fenced code blocks should be surrounded by blank lines
-    "MD032": false, // blanks-around-lists Lists should be surrounded by blank lines
     "MD034": false, // no-bare-urls Bare URL used
-    "MD036": false, // no-emphasis-as-heading Emphasis used instead of a heading
-    "MD037": false, // no-space-in-emphasis Spaces inside emphasis markers
-    "MD040": false, // fenced-code-language Fenced code blocks should have a language specified 
     "MD041": false, // first-line-heading/first-line-h1 First line in a file should be a top-level heading
-    "MD047": false, // single-trailing-newline Files should end with a single newline character
-    "MD049": false, // emphasis-style Emphasis style
-    "MD051": false, // link-fragments Link fragments should be valid
 }

.portal-docs/docker-hub/README.aspire-dashboard.md

@@ -15,28 +15,28 @@ The .NET Aspire Dashboard is a browser-based app to view run-time information ab
 
 The dashboard shows:
 
-- Resources that make up your app, such as .NET projects, executables and containers.
-- Live console logs of resources.
-- Live telemetry, such as structured logs, traces and metrics.
+* Resources that make up your app, such as .NET projects, executables and containers.
+* Live console logs of resources.
+* Live telemetry, such as structured logs, traces and metrics.
 
 ## Configuration
 
 The dashboard must be configured when it is started. The configuration is done via environment variables. The following environment variables are supported:
 
-- `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to http://localhost:18888.
-- `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to http://localhost:18889.
-- `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to http://localhost:18890.
-- `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
-- `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
+* `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to `http://localhost:18888`.
+* `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to `http://localhost:18889`.
+* `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to `http://localhost:18890`.
+* `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
+* `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
 
 ### Frontend authentication
 
 The dashboard's frontend supports OpenID Connect (OIDC). Set `Dashboard__Frontend__AuthMode` to `OpenIdConnect`, then add the following configuration:
 
-- `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
-- `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
-- `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
-- Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
+* `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
+* `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
+* `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
+* Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
 
 It may also be run unsecured. Set `Dashboard__Frontend__AuthMode` to `Unsecured`. The frontend endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -48,25 +48,25 @@ For client certification authentication, set `Dashboard__Otlp__AuthMode` to `Cer
 
 For API key authentication, set `Dashboard__Otlp__AuthMode` to `ApiKey`, then add the following configuration:
 
-- `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
-- `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
+* `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
+* `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
 
 It may also be run unsecured. Set `Dashboard__Otlp__AuthMode` to `Unsecured`. The OTLP endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
 ## Resources
 
-- `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
+* `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
 
 The resource service client supports certificates. Set `Dashboard__ResourceServiceClient__AuthMode` to `Certificate`, then add the following configuration:
 
-- `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
-  - `File` to load the cert from a file path, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
-  - `KeyStore` to load the cert from a key store, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
+* `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
+  * `File` to load the cert from a file path, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
+  * `KeyStore` to load the cert from a key store, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
 
 To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` to `Unsecured`. This completely disables all security for the resource service client. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -74,18 +74,18 @@ To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` t
 
 Telemetry is stored in-memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit.
 
-- `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
-- `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
-- `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
-- `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
+* `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
+* `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
 
 Limits are per-resource. For example, a `MaxLogCount` value of 10,000 configures the dashboard to store up to 10,000 log entries per-resource.
 
 ## Other
 
-- `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
+* `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
 
 # Related Repositories
 
@@ -126,6 +126,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.aspnet.md

@@ -87,6 +87,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.md

@@ -21,8 +21,8 @@
 
 You can use C# or F# to write .NET apps.
 
-- [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
-- [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
+* [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
+* [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
 
 [.NET](https://github.com/dotnet/core) is open source (MIT and Apache 2 licenses) and was contributed to the [.NET Foundation](http://dotnetfoundation.org) by Microsoft in 2014. It can be freely adopted by individuals and companies, including for personal, academic or commercial purposes. Multiple companies use .NET as part of apps, tools, new platforms and hosting services.
 

.portal-docs/docker-hub/README.monitor-base.md

@@ -69,6 +69,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.monitor.md

@@ -70,6 +70,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.runtime-deps.md

@@ -68,6 +68,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.runtime.md

@@ -76,6 +76,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.samples.md

@@ -95,6 +95,7 @@ These sample images are not intended for production use and may be subject to br
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/docker-hub/README.sdk.md

@@ -78,6 +78,7 @@ View the current tags at the [Microsoft Artifact Registry portal](https://mcr.mi
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.aspire-dashboard.portal.md

@@ -33,28 +33,28 @@ The .NET Aspire Dashboard is a browser-based app to view run-time information ab
 
 The dashboard shows:
 
-- Resources that make up your app, such as .NET projects, executables and containers.
-- Live console logs of resources.
-- Live telemetry, such as structured logs, traces and metrics.
+* Resources that make up your app, such as .NET projects, executables and containers.
+* Live console logs of resources.
+* Live telemetry, such as structured logs, traces and metrics.
 
 ### Configuration
 
 The dashboard must be configured when it is started. The configuration is done via environment variables. The following environment variables are supported:
 
-- `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to http://localhost:18888.
-- `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to http://localhost:18889.
-- `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to http://localhost:18890.
-- `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
-- `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
+* `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to `http://localhost:18888`.
+* `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to `http://localhost:18889`.
+* `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to `http://localhost:18890`.
+* `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
+* `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
 
 #### Frontend authentication
 
 The dashboard's frontend supports OpenID Connect (OIDC). Set `Dashboard__Frontend__AuthMode` to `OpenIdConnect`, then add the following configuration:
 
-- `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
-- `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
-- `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
-- Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
+* `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
+* `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
+* `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
+* Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
 
 It may also be run unsecured. Set `Dashboard__Frontend__AuthMode` to `Unsecured`. The frontend endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -66,25 +66,25 @@ For client certification authentication, set `Dashboard__Otlp__AuthMode` to `Cer
 
 For API key authentication, set `Dashboard__Otlp__AuthMode` to `ApiKey`, then add the following configuration:
 
-- `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
-- `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
+* `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
+* `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
 
 It may also be run unsecured. Set `Dashboard__Otlp__AuthMode` to `Unsecured`. The OTLP endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
 ### Resources
 
-- `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
+* `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
 
 The resource service client supports certificates. Set `Dashboard__ResourceServiceClient__AuthMode` to `Certificate`, then add the following configuration:
 
-- `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
-  - `File` to load the cert from a file path, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
-  - `KeyStore` to load the cert from a key store, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
+* `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
+  * `File` to load the cert from a file path, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
+  * `KeyStore` to load the cert from a key store, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
 
 To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` to `Unsecured`. This completely disables all security for the resource service client. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -92,18 +92,18 @@ To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` t
 
 Telemetry is stored in-memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit.
 
-- `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
-- `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
-- `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
-- `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
+* `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
+* `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
 
 Limits are per-resource. For example, a `MaxLogCount` value of 10,000 configures the dashboard to store up to 10,000 log entries per-resource.
 
 ### Other
 
-- `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
+* `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
 
 ## Support
 
@@ -122,6 +122,7 @@ Limits are per-resource. For example, a `MaxLogCount` value of 10,000 configures
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.aspnet.portal.md

@@ -83,6 +83,7 @@ The [Image Variants documentation](https://github.com/dotnet/dotnet-docker/blob/
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.monitor-base.portal.md

@@ -65,6 +65,7 @@ The following Dockerfiles demonstrate how you can use this base image to build a
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.monitor.portal.md

@@ -66,6 +66,7 @@ See the [documentation](https://go.microsoft.com/fwlink/?linkid=2158052) for how
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.runtime-deps.portal.md

@@ -64,6 +64,7 @@ The [Image Variants documentation](https://github.com/dotnet/dotnet-docker/blob/
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.runtime.portal.md

@@ -72,6 +72,7 @@ The [Image Variants documentation](https://github.com/dotnet/dotnet-docker/blob/
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.samples.portal.md

@@ -91,6 +91,7 @@ These sample images are not intended for production use and may be subject to br
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

.portal-docs/mar/README.sdk.portal.md

@@ -74,6 +74,7 @@ The [Image Variants documentation](https://github.com/dotnet/dotnet-docker/blob/
 #### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

CONTRIBUTING.md

@@ -12,7 +12,7 @@ Please keep in mind that the GitHub issue tracker is intended for reporting **no
 
 If you're reporting the presence of a disclosed security vulnerability, such as a CVE reported in one of our container images, please follow our documented [guidance on vulnerability reporting](https://github.com/dotnet/dotnet-docker/blob/main/documentation/vulnerability-reporting.md).
 
-If you believe you have an issue that affects the security of .NET, please do NOT create an issue and instead email your issue details to secure@microsoft.com.
+If you believe you have an issue that affects the security of .NET, please do NOT create an issue and instead email your issue details to <secure@microsoft.com>.
 Your report may be eligible for our [bug bounty](https://www.microsoft.com/en-us/msrc/bounty-dot-net-core), but ONLY if it is reported through email.
 
 ## Bugs and Feature Requests
@@ -27,7 +27,7 @@ We triage issues and decide which issues to prioritize on a weekly basis, so if
 
 ## How to Submit a PR
 
-### Before you write code...
+### Before you write code
 
 Please consider opening a feature request.
 We are happy to accept community contributions - however, until we discuss your specifc ideas and features as a team, we can't guarantee that we will accept all community PRs.

README.aspire-dashboard.md

@@ -15,28 +15,28 @@ The .NET Aspire Dashboard is a browser-based app to view run-time information ab
 
 The dashboard shows:
 
-- Resources that make up your app, such as .NET projects, executables and containers.
-- Live console logs of resources.
-- Live telemetry, such as structured logs, traces and metrics.
+* Resources that make up your app, such as .NET projects, executables and containers.
+* Live console logs of resources.
+* Live telemetry, such as structured logs, traces and metrics.
 
 ## Configuration
 
 The dashboard must be configured when it is started. The configuration is done via environment variables. The following environment variables are supported:
 
-- `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to http://localhost:18888.
-- `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to http://localhost:18889.
-- `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to http://localhost:18890.
-- `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
-- `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
+* `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to `http://localhost:18888`.
+* `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to `http://localhost:18889`.
+* `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to `http://localhost:18890`.
+* `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
+* `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
 
 ### Frontend authentication
 
 The dashboard's frontend supports OpenID Connect (OIDC). Set `Dashboard__Frontend__AuthMode` to `OpenIdConnect`, then add the following configuration:
 
-- `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
-- `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
-- `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
-- Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
+* `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
+* `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
+* `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
+* Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
 
 It may also be run unsecured. Set `Dashboard__Frontend__AuthMode` to `Unsecured`. The frontend endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -48,25 +48,25 @@ For client certification authentication, set `Dashboard__Otlp__AuthMode` to `Cer
 
 For API key authentication, set `Dashboard__Otlp__AuthMode` to `ApiKey`, then add the following configuration:
 
-- `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
-- `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
+* `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
+* `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
 
 It may also be run unsecured. Set `Dashboard__Otlp__AuthMode` to `Unsecured`. The OTLP endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
 ## Resources
 
-- `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
+* `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
 
 The resource service client supports certificates. Set `Dashboard__ResourceServiceClient__AuthMode` to `Certificate`, then add the following configuration:
 
-- `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
-  - `File` to load the cert from a file path, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
-  - `KeyStore` to load the cert from a key store, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
+* `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
+  * `File` to load the cert from a file path, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
+  * `KeyStore` to load the cert from a key store, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
 
 To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` to `Unsecured`. This completely disables all security for the resource service client. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -74,18 +74,18 @@ To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` t
 
 Telemetry is stored in-memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit.
 
-- `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
-- `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
-- `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
-- `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
+* `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
+* `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
 
 Limits are per-resource. For example, a `MaxLogCount` value of 10,000 configures the dashboard to store up to 10,000 log entries per-resource.
 
 ## Other
 
-- `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
+* `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
 
 # Related Repositories
 
@@ -139,6 +139,7 @@ You can retrieve a list of all available tags for dotnet/aspire-dashboard at htt
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.aspnet.md

@@ -251,8 +251,6 @@ Tag | Dockerfile
 You can retrieve a list of all available tags for dotnet/aspnet at https://mcr.microsoft.com/v2/dotnet/aspnet/tags/list.
 <!--End of generated tags-->
 
-For tags contained in the old dotnet/core/aspnet repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core/aspnet/tags/list.
-
 *Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 
 # Support
@@ -272,6 +270,7 @@ For tags contained in the old dotnet/core/aspnet repository, you can retrieve a
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.md

@@ -16,14 +16,14 @@
 
 You can use C# or F# to write .NET apps.
 
-- [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
-- [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
+* [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
+* [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
 
 [.NET](https://github.com/dotnet/core) is open source (MIT and Apache 2 licenses) and was contributed to the [.NET Foundation](http://dotnetfoundation.org) by Microsoft in 2014. It can be freely adopted by individuals and companies, including for personal, academic or commercial purposes. Multiple companies use .NET as part of apps, tools, new platforms and hosting services.
 
 You are invited to [contribute new features](https://github.com/dotnet/core/blob/master/CONTRIBUTING.md), fixes, or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can.
 
-> https://docs.microsoft.com/dotnet/core/
+> [.NET Documentation](https://docs.microsoft.com/dotnet/core/)
 
 Watch [discussions](https://github.com/dotnet/dotnet-docker/discussions/categories/announcements) for Docker-related .NET announcements.
 
@@ -102,6 +102,7 @@ The [Image Variants documentation](https://github.com/dotnet/dotnet-docker/blob/
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.monitor-base.md

@@ -94,6 +94,7 @@ You can retrieve a list of all available tags for dotnet/monitor/base at https:/
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.monitor.md

@@ -103,6 +103,7 @@ You can retrieve a list of all available tags for dotnet/monitor at https://mcr.
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.runtime-deps.md

@@ -164,8 +164,6 @@ Tags | Dockerfile | OS Version
 You can retrieve a list of all available tags for dotnet/runtime-deps at https://mcr.microsoft.com/v2/dotnet/runtime-deps/tags/list.
 <!--End of generated tags-->
 
-For tags contained in the old dotnet/core/runtime-deps repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core/runtime-deps/tags/list.
-
 *Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 
 # Support
@@ -185,6 +183,7 @@ For tags contained in the old dotnet/core/runtime-deps repository, you can retri
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.runtime.md

@@ -207,8 +207,6 @@ Tag | Dockerfile
 You can retrieve a list of all available tags for dotnet/runtime at https://mcr.microsoft.com/v2/dotnet/runtime/tags/list.
 <!--End of generated tags-->
 
-For tags contained in the old dotnet/core/runtime repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core/runtime/tags/list.
-
 *Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 
 # Support
@@ -228,6 +226,7 @@ For tags contained in the old dotnet/core/runtime repository, you can retrieve a
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.samples.md

@@ -113,8 +113,6 @@ aspnetapp-8.0-nanoserver-1809, aspnetapp-nanoserver-1809, aspnetapp-8.0, aspneta
 You can retrieve a list of all available tags for dotnet/samples at https://mcr.microsoft.com/v2/dotnet/samples/tags/list.
 <!--End of generated tags-->
 
-For tags contained in the old dotnet/core/samples repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core/samples/tags/list.
-
 *Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 
 # Support
@@ -136,6 +134,7 @@ These sample images are not intended for production use and may be subject to br
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

README.sdk.md

@@ -177,8 +177,6 @@ Tag | Dockerfile
 You can retrieve a list of all available tags for dotnet/sdk at https://mcr.microsoft.com/v2/dotnet/sdk/tags/list.
 <!--End of generated tags-->
 
-For tags contained in the old dotnet/core/sdk repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core/sdk/tags/list.
-
 *Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 
 # Support
@@ -198,6 +196,7 @@ For tags contained in the old dotnet/core/sdk repository, you can retrieve a lis
 ### CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

SECURITY.md

@@ -6,7 +6,7 @@ The .NET Core and ASP.NET Core support policy, including supported versions can
 
 ## Reporting a Vulnerability
 
-Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing secure@microsoft.com or via the portal at https://msrc.microsoft.com.
+Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing <secure@microsoft.com> or via the [Microsoft Security Response Center](https://msrc.microsoft.com).
 You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your
 original message. Further information, including the MSRC PGP key, can be found in the [MSRC Report an Issue FAQ](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue).
 
@@ -15,4 +15,3 @@ Reports via MSRC may qualify for the .NET Core Bug Bounty. Details of the .NET C
 Please do not open issues for anything you think might have a security implication.
 
 If you're reporting the presence of a disclosed security vulnerability, such as a CVE reported in one of our container images, please follow the documented guidance on vulnerability reporting in [vulnerability-reporting.md](https://github.com/dotnet/dotnet-docker/blob/main/documentation/vulnerability-reporting.md).
-

documentation/azurelinux.md

@@ -18,20 +18,20 @@ General distroless .NET containers documentation is available [here](./distroles
 
 Azure Linux distroless .NET images are available for all supported .NET versions in the following image repos:
 
-- [`mcr.microsoft.com/dotnet/runtime`](../README.runtime.md)
-- [`mcr.microsoft.com/dotnet/aspnet`](../README.aspnet.md)
-- [`mcr.microsoft.com/dotnet/runtime-deps`](../README.runtime-deps.md) (for self-contained or AOT apps)
+* [`mcr.microsoft.com/dotnet/runtime`](../README.runtime.md)
+* [`mcr.microsoft.com/dotnet/aspnet`](../README.aspnet.md)
+* [`mcr.microsoft.com/dotnet/runtime-deps`](../README.runtime-deps.md) (for self-contained or AOT apps)
 
 You can use the following image tags:
 
-- `8.0-cbl-mariner2.0-distroless`
-- `6.0-cbl-mariner2.0-distroless`
+* `8.0-cbl-mariner2.0-distroless`
+* `6.0-cbl-mariner2.0-distroless`
 
 ### Installing Additional Packages
 
 If your app requires additional packages besides `icu` and `tzdata`, you can follow the same pattern that .NET uses to install the .NET runtime dependencies.
 
-#### Azure Linux 3.0 (Preview):
+#### Azure Linux 3.0 (Preview)
 
 ```Dockerfile
 FROM mcr.microsoft.com/dotnet/nightly/aspnet:8.0-azurelinux3.0-distroless AS base
@@ -82,7 +82,7 @@ FROM base
 COPY --from=installer /staging2/ /
 ```
 
-#### Azure Linux 2.0:
+#### Azure Linux 2.0
 
 ```Dockerfile
 FROM mcr.microsoft.com/dotnet/aspnet:6.0-cbl-mariner2.0-distroless AS base
@@ -141,7 +141,7 @@ The easiest way to enable local Visual Studio debugging while not modifying the
 
 To enable Container Fast Mode debugging without affecting your app's production image, you can create a new stage based off the `base` stage (called `debug` in the example) that contains the debugging tools, and then point the VS Fast Mode tools to that debug stage.
 
-Here's an example chart showing the inheritance of the build stages: 
+Here's an example chart showing the inheritance of the build stages:
 
 ```mermaid
 flowchart TD
@@ -152,7 +152,8 @@ flowchart TD
 
 Here's an example configuration based off of a simple ASP.NET Core app:
 
-**.csproj**
+### *.csproj
+
 ```diff
 <PropertyGroup>
   ...
@@ -161,7 +162,8 @@ Here's an example configuration based off of a simple ASP.NET Core app:
 </PropertyGroup>
 ```
 
-**Dockerfile**
+### Dockerfile
+
 ```diff
 # Learn about building .NET container images:
 # https://github.com/dotnet/dotnet-docker/blob/main/samples/README.md

documentation/distroless.md

@@ -12,6 +12,7 @@ They contain the following features:
 We offer distroless .NET images for two operating systems: [Ubuntu Chiseled](./ubuntu-chiseled.md) and [Azure Linux](./azurelinux.md).
 
 .NET distroless images are available for the following image repos:
+
 - [`mcr.microsoft.com/dotnet/runtime`](../README.runtime.md)
 - [`mcr.microsoft.com/dotnet/aspnet`](../README.aspnet.md)
 - [`mcr.microsoft.com/dotnet/runtime-deps`](../README.runtime-deps.md) (for self-contained or AOT apps)
@@ -112,7 +113,7 @@ COPY --from=build /somefile-extracted .
 
 If your app writes to the disk, you may encounter permission issues at runtime, such as:
 
-```
+```text
 System.UnauthorizedAccessException: Access to the path "<path>" is denied
 ```
 
@@ -138,13 +139,13 @@ You can check the user ID that a container will use by running the following com
 
 **Ubuntu**:
 
-```
+```console
 docker image inspect mcr.microsoft.com/dotnet/runtime-deps:8.0-noble-chiseled -f "{{ .Config.User }}"
 ```
 
 **Azure Linux**:
 
-```
+```console
 docker image inspect mcr.microsoft.com/dotnet/runtime-deps:8.0-cbl-mariner2.0-distroless -f "{{ .Config.User }}"
 ```
 

documentation/image-artifact-details.md

@@ -100,12 +100,13 @@ FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
 COPY --from=distroless / /distroless
 ```
 
-Note the last instruction copies the entire contents of the distroless container's filesystem to the `/distroless` directory in the wrapper.
-This will be the target location used when executing commands.
+> [!NOTE]
+> The last instruction copies the entire contents of the distroless container's filesystem to the `/distroless` directory in the wrapper.
+> This will be the target location used when executing commands.
 
 Next, build the Dockerfile, specifying the distroless image tag you wish to inspect:
 
-```
+```console
 docker build -t distroless-wrapper --build-arg DISTROLESS_IMAGE=mcr.microsoft.com/dotnet/aspnet:6.0-cbl-mariner2.0-distroless .
 ```
 
@@ -113,14 +114,14 @@ Now that you've got the wrapper image, you can execute the [commands that are do
 
 For example, instead of executing this command as documented:
 
-```
-docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0-cbl-mariner2.0-distroless /bin/sh -c "find ./usr/share/dotnet | grep -i third"
+```console
+$ docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0-cbl-mariner2.0-distroless /bin/sh -c "find ./usr/share/dotnet | grep -i third"
 ./usr/share/dotnet/ThirdPartyNotices.txt
 ```
 
 You would actually execute this command to use the distroless wrapper image (note the difference in the image tag and path parameter):
 
-```
-docker run --rm distroless-wrapper /bin/sh -c "find ./distroless/usr/share/dotnet | grep -i third"
+```console
+$ docker run --rm distroless-wrapper /bin/sh -c "find ./distroless/usr/share/dotnet | grep -i third"
 ./distroless/usr/share/dotnet/ThirdPartyNotices.txt
 ```

documentation/image-variants.md

@@ -6,28 +6,28 @@
 As of .NET 8, we also guarantee these images include time zone information (e.g. `tzdata` in Linux).
 These images are intended to satisfy the most common use cases of .NET developers.
 
-Alpine and [Ubuntu Chiseled](#ubuntu-chiseled-net-60) .NET images are focused on size.
+Alpine and [Ubuntu Chiseled](./ubuntu-chiseled.md) .NET images are focused on size.
 By default, these images do not include `icu` or `tzdata`, meaning that these images only work with apps that are configured for [globalization-invariant mode](https://learn.microsoft.com/dotnet/core/runtime-config/globalization).
 Apps that require globalization support can use the `extra` image variant of the [dotnet/runtime-deps](https://hub.docker.com/_/microsoft-dotnet-runtime-deps/) images. Because this is only available with `runtime-deps` images, it requires a [self-contained deployment](https://learn.microsoft.com/dotnet/core/deploying/#publish-self-contained) of the application.
 Alpine, Azure Linux, and Ubuntu Chiseled images also come in `extra`, `composite`, and `aot` variants (see below).
 
-### Distroless
+## Distroless
 
 [Ubuntu Chiseled](https://ubuntu.com/engage/chiselled-ubuntu-images-for-containers) and [Azure Linux](./azurelinux.md) distroless .NET images contain only the minimum set of libraries necessary to run .NET applications with everything else removed.
 For more information, see the [Distroless .NET images documentation](./distroless.md).
 
-### `extra` (.NET 8.0+)
+## `extra` (.NET 8.0+)
 
 For apps that depend on globalization functionality, the `extra` image variant is offered for [Ubuntu Chiseled](./ubuntu-chiseled.md) and [Azure Linux](./azurelinux.md) distroless `runtime-deps`, `runtime`, and `aspnet` images as well as `runtime-deps` images for Alpine Linux.
 These `extra` images contain everything that the default images do, plus `icu` and `tzdata`.
 
-### `composite` (.NET 8.0+)
+## `composite` (.NET 8.0+)
 
 ASP.NET Core Composite images provide a smaller size on disk while keeping the performance of the default [ReadyToRun (R2R) setting](https://learn.microsoft.com/dotnet/core/deploying/ready-to-run).
 The caveat is that the composite images have tighter version coupling. This means the final app run on them cannot use handpicked custom versions of the framework and/or ASP.NET assemblies that are built into the composite binary.
 For a full technical description on how the composites work, we have a [feature doc here](https://github.com/dotnet/runtime/blob/main/docs/design/features/readytorun-composite-format-design.md).
 
-### (Preview) `aot` (.NET 8.0+)
+## (Preview) `aot` (.NET 8.0+)
 
 The `aot` images provide an optimized deployment size for [Native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot/) compiled .NET apps.
 Native AOT has the lowest size, startup time, and memory footprint of all .NET deployment models.

documentation/scenarios/nuget-credentials.md

@@ -9,7 +9,7 @@ There are two aspects to be aware of when it comes to protecting credentials:
 
 ## Use a multi-stage build to protect nuget.config passed by build context
 
-By using multi-stage builds, you can use the build context to pass a set of files to the Docker build that are used just for building the application and avoid having all of those files end up in the final image. If your `nuget.config` file contains credentials and is already stored on the Docker host machine, then you may want to consider passing it via the build context for the Docker build (also see [Passing secrets by file with Docker BuildKit](#passing-secrets-by-file-with-buildkit) for a related pattern). *Be careful when storing credentials on disk. Make sure that the machine and file are properly secured.*
+By using multi-stage builds, you can use the build context to pass a set of files to the Docker build that are used just for building the application and avoid having all of those files end up in the final image. If your `nuget.config` file contains credentials and is already stored on the Docker host machine, then you may want to consider passing it via the build context for the Docker build (also see [Passing secrets by file with Docker BuildKit](#passing-secrets-by-file-with-buildkit) for a related pattern). _Be careful when storing credentials on disk. Make sure that the machine and file are properly secured._
 
 Even though using a multi-stage build is a good technique to help avoid exposing credentials in the final image, it should be known that the intermediate layers produced by the build can still expose those secrets locally on the Docker host machine.
 
@@ -144,7 +144,7 @@ The `VSS_NUGET_EXTERNAL_FEED_ENDPOINTS` environment variable is a well-known var
 
 Instead, the credentials for `customfeed` are defined in the Dockerfile by making use of an `ARG` for the access token:
 
-*Linux*
+### Linux
 
 ```Dockerfile
 FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
@@ -170,7 +170,7 @@ COPY --from=build /app/out ./
 ENTRYPOINT ["dotnet", "dotnetapp.dll"]
 ```
 
-*Windows*
+### Windows
 
 ```Dockerfile
 # escape=`
@@ -207,7 +207,8 @@ COPY --from=build /app/out ./
 ENTRYPOINT ["dotnet", "dotnetapp.dll"]
 ```
 
-_Note that a script is called to install the Credential Provider. When `dotnet restore` is run, the Credential Provider is invoked to resolve the credentials and it retrieves them from the `VSS_NUGET_EXTERNAL_FEED_ENDPOINTS` environment variable._
+> [!NOTE]
+> A script is called to install the Credential Provider. When `dotnet restore` is run, the Credential Provider is invoked to resolve the credentials and it retrieves them from the `VSS_NUGET_EXTERNAL_FEED_ENDPOINTS` environment variable.
 
 Before running `docker build`, first populate the `FEED_ACCESSTOKEN` environment variable with a [personal access token](https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate). Then, this Dockerfile would be built using this command:
 
@@ -261,7 +262,7 @@ RUN echo %VSS_NUGET_EXTERNAL_FEED_ENDPOINTS%
 
 ## Passing secrets by file with BuildKit
 
-Docker's [BuildKit](https://github.com/moby/buildkit) integration provides some enhanced functionality for passing [secret information](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) when running `docker build`. This avoids the use of `ARG` values which could potentially be exposed in the resulting image unless you're disciplined in defining your multi-stage build. But it also requires that the secret data be stored in a file on the Docker host machine during the `docker build`. If your `nuget.config` file contains credentials and is already stored on the Docker host machine, then this may be a good option for you. *Be careful when storing credentials on disk. Make sure that the machine and file are properly secured.*
+Docker's [BuildKit](https://github.com/moby/buildkit) integration provides some enhanced functionality for passing [secret information](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) when running `docker build`. This avoids the use of `ARG` values which could potentially be exposed in the resulting image unless you're disciplined in defining your multi-stage build. But it also requires that the secret data be stored in a file on the Docker host machine during the `docker build`. If your `nuget.config` file contains credentials and is already stored on the Docker host machine, then this may be a good option for you. _Be careful when storing credentials on disk. Make sure that the machine and file are properly secured._
 
 Let's use the following sample `nuget.config` file which is stored on the Docker host machine:
 

documentation/supported-tags.md

@@ -52,9 +52,12 @@ They include:
 - Debian, unless specified (like `8.0-alpine`).
 - All [supported architectures](supported-platforms.md#architectures).
 
-**Note:** Since .NET 8, these multi-platform tags **specifically exclude all Windows versions** due to `containerd`'s platform matching algorithm for Windows hosts.
+> [!NOTE]
+> Since .NET 8, these multi-platform tags **specifically exclude all Windows versions** due to `containerd`'s platform matching algorithm for Windows hosts.
+
 Please see [#4492 (Switch multi-platform tags to Linux only)](https://github.com/dotnet/dotnet-docker/issues/4492) for more context.
 If you are using Windows, you will need to explicitly specify an OS Version with a single-platform tag like so:
+
 ```Dockerfile
 FROM mcr.microsoft.com/dotnet/sdk:8.0-nanoserver-ltsc2022
 FROM mcr.microsoft.com/dotnet/sdk:8.0-nanoserver-1809
@@ -89,11 +92,11 @@ Examples:
 - `6.0-alpine`
 - `8.0-alpine`
 
-Notes:
-
-- New versions of Alpine will be published with version-specific tags (e.g. `6.0-alpine3.20`).
-- Floating tag (e.g. `6.0-alpine`) will be updated with the new Alpine version a month later.
-- Tag changes will be [announced](https://github.com/dotnet/dotnet-docker/discussions/categories/announcements) so that users know when the tags they want are available.
+> [!NOTE]
+>
+> - New versions of Alpine will be published with version-specific tags (e.g. `6.0-alpine3.20`).
+> - Floating tag (e.g. `6.0-alpine`) will be updated with the new Alpine version a month later.
+> - Tag changes will be [announced](https://github.com/dotnet/dotnet-docker/discussions/categories/announcements) so that users know when the tags they want are available.
 
 ### `<Major.Minor.Patch .NET Version>`
 
@@ -130,10 +133,10 @@ For more information, see the [Image Variants documentation](./image-variants.md
 
 These "floating version" `latest` tag references an image with the latest `Major.Minor.Patch` .NET version, while operating system and architecture will be chosen based on the requesting environment.
 
-Notes:
-
-- The `latest` tag references the latest stable release.
-- In the `nightly` image repo, it may reference the latest preview release.
+> [!NOTE]
+>
+> - The `latest` tag references the latest stable release.
+> - In the `nightly` image repo, it may reference the latest preview release.
 
 ## Tag policies
 
@@ -148,12 +151,12 @@ Examples:
 - `6.0.32`
 - `8.0.7-alpine3.20`
 
-Notes:
-
-- These tags are considered _fixed tags_ since they reference a specific .NET patch version.
-- They are updated in response to base image updates (like a Debian base image) for the supported life of the image (typically one month).
-- The .NET components within the image will not be updated.
-- In the rare event that .NET components are updated before the next regular .NET service release, then a new image with a `-1` tag will be created. The same practice will repeat itself if necessary (with `-2` and then `-3` tags).
+> [!NOTE]
+>
+> - These tags are considered _fixed tags_ since they reference a specific .NET patch version.
+> - They are updated in response to base image updates (like a Debian base image) for the supported life of the image (typically one month).
+> - The .NET components within the image will not be updated.
+> - In the rare event that .NET components are updated before the next regular .NET service release, then a new image with a `-1` tag will be created. The same practice will repeat itself if necessary (with `-2` and then `-3` tags).
 
 ### Floating version tags
 
@@ -164,11 +167,11 @@ Examples:
 - `6.0`
 - `8.0-alpine3.20`
 
-Notes:
-
-- These tags are considered _floating tags_ since they do not reference a specific .NET patch version.
-- They are updated in response to base image updates (like a Debian base image) for the supported life of the .NET release.
-- The .NET components within the image will be updated, which typically occurs on Patch Tuesday.
+> [!NOTE]
+>
+> - These tags are considered _floating tags_ since they do not reference a specific .NET patch version.
+> - They are updated in response to base image updates (like a Debian base image) for the supported life of the .NET release.
+> - The .NET components within the image will be updated, which typically occurs on Patch Tuesday.
 
 ### OS tags and base image updates
 
@@ -179,12 +182,12 @@ Examples:
 - `6.0-jammy`
 - `8.0-alpine3.20`
 
-Notes:
-
-- These tags are updated in response to base image updates (like an Ubuntu base image) for the supported life of the .NET release.
-- Digest pinning is required to request a specific patch of an operating system (e.g. `mcr.microsoft.com/dotnet/runtime@sha256:4d3d5a5131a0621509ab8a75f52955f2d0150972b5c5fb918e2e59d4cb9a9823`).
-- If an image is only available for one operating system, then the operating system will be omitted from the tag.
-- For [Debian](https://en.wikipedia.org/wiki/Debian_version_history) and [Ubuntu](https://en.wikipedia.org/wiki/Ubuntu_version_history) images, release codenames are used instead of version numbers.
+> [!NOTE]
+>
+> - These tags are updated in response to base image updates (like an Ubuntu base image) for the supported life of the .NET release.
+> - Digest pinning is required to request a specific patch of an operating system (e.g. `mcr.microsoft.com/dotnet/runtime@sha256:4d3d5a5131a0621509ab8a75f52955f2d0150972b5c5fb918e2e59d4cb9a9823`).
+> - If an image is only available for one operating system, then the operating system will be omitted from the tag.
+> - For [Debian](https://en.wikipedia.org/wiki/Debian_version_history) and [Ubuntu](https://en.wikipedia.org/wiki/Ubuntu_version_history) images, release codenames are used instead of version numbers.
 
 ### Windows tags
 

documentation/ubuntu-chiseled.md

@@ -5,10 +5,10 @@
 .NET's Ubuntu Chiseled images are a type of "distroless" container image that contain only the minimal set of packages .NET needs, with everything else removed.
 These images offer dramatically smaller deployment sizes and attack surface compared to our "full" Ubuntu images that are based on the Ubuntu base images. This is achieved through the following features:
 
-- Minimal set of packages required to run a .NET application
-- Non-root user by default
-- No package manager
-- No shell
+* Minimal set of packages required to run a .NET application
+* Non-root user by default
+* No package manager
+* No shell
 
 ## Featured Tags
 
@@ -24,9 +24,10 @@ If you have a compelling use case for a distroless SDK image, please leave a com
 ## How do I use Ubuntu Chiseled .NET images?
 
 Please see our sample Dockerfiles for examples on how to use Ubuntu Chiseled .NET images:
-- [aspnetapp](../samples/aspnetapp/Dockerfile.chiseled)
-- [dotnetapp](../samples/dotnetapp/Dockerfile.chiseled)
-- [releasesapi](../samples/releasesapi/Dockerfile.ubuntu-chiseled) (and [icu version](../samples/releasesapi/Dockerfile.ubuntu-chiseled-icu))
-- [releasesapp](../samples/releasesapp/Dockerfile.chiseled)
+
+* [aspnetapp](../samples/aspnetapp/Dockerfile.chiseled)
+* [dotnetapp](../samples/dotnetapp/Dockerfile.chiseled)
+* [releasesapi](../samples/releasesapi/Dockerfile.ubuntu-chiseled) (and [icu version](../samples/releasesapi/Dockerfile.ubuntu-chiseled-icu))
+* [releasesapp](../samples/releasesapp/Dockerfile.chiseled)
 
 If your app's Dockerfile doesn't install any additional Linux packages or depend on any shell scripts for setup, Ubuntu Chiseled images could be a drop-in replacement for our full Ubuntu or Debian images.

documentation/vulnerability-reporting.md

@@ -71,6 +71,8 @@ $myImage="<insert-my-image-tag>"
 &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://raw.githubusercontent.com/dotnet/dotnet-docker/main/documentation/scripts/resolve-image-digest.ps1'))) $myImage
 ```
 
+#### Resolving multi-arch tags
+
 If the script above returns an error indicating it's unable to resolve a multi-arch tag, you'll need to provide extra parameters to the script.
 The following scripts indicate how to do that.
 
@@ -81,7 +83,7 @@ You only need the first three parts of the version number.
 In the case of Windows Server 2022, it's `10.0.20348`.
 You can use a wildcard to indicate the rest of the version number.
 
-#### macOS/Linux
+##### macOS/Linux
 
 Requires [PowerShell to be installed](https://learn.microsoft.com/powershell/scripting/install/installing-powershell-on-linux).
 
@@ -93,7 +95,7 @@ osVersion="<windows-version>" # Only used for Windows containers (e.g. "10.0.203
 curl -sSL https://raw.githubusercontent.com/dotnet/dotnet-docker/main/documentation/scripts/resolve-image-digest.ps1 | pwsh /dev/stdin $myImage -Os $os -Architecture $arch -OsVersion $osVersion
 ```
 
-#### Windows
+##### Windows
 
 ```powershell
 $myImage="<insert-my-image-tag>"

eng/pipelines/README.md

@@ -1 +1,3 @@
+# .NET Docker Pipelines
+
 The contents of the `pipelines` folder are used by the .NET Core engineering infrastructure to build and publish the images.

eng/readme-templates/About.product-family.md

@@ -4,11 +4,11 @@
 
 You can use C# or F# to write .NET apps.
 
-- [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
-- [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
+* [C#](https://docs.microsoft.com/dotnet/csharp/) is powerful, type-safe, and object-oriented while retaining the expressiveness and elegance of C-style languages. Anyone familiar with C and similar languages will find it straightforward to write in C#.
+* [F#](https://docs.microsoft.com/dotnet/fsharp/) is a cross-platform, open-source, functional programming language for .NET. It also includes object-oriented and imperative programming.
 
 [.NET](https://github.com/dotnet/core) is open source (MIT and Apache 2 licenses) and was contributed to the [.NET Foundation](http://dotnetfoundation.org) by Microsoft in 2014. It can be freely adopted by individuals and companies, including for personal, academic or commercial purposes. Multiple companies use .NET as part of apps, tools, new platforms and hosting services.
 
 You are invited to [contribute new features](https://github.com/dotnet/core/blob/master/CONTRIBUTING.md), fixes, or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can.
 
-> https://docs.microsoft.com/dotnet/core/
+> [.NET Documentation](https://docs.microsoft.com/dotnet/core/)

eng/readme-templates/DefaultLayout.md

@@ -27,9 +27,7 @@ if !IS_PRODUCT_FAMILY:{{InsertTemplate("FeaturedTags.md", commonArgs)}}
 {{if !IS_PRODUCT_FAMILY:
 # Full Tag Listing
 {{if ARGS["readme-host"] = "github":<!--End of generated tags-->
-{{if !(isMonitor || isAspireDashboard):For tags contained in the old dotnet/core{{if isNightlyRepo:-nightly}}/{{SHORT_REPO}} repository, you can retrieve a list of those tags at https://mcr.microsoft.com/v2/dotnet/core{{if isNightlyRepo:-nightly}}/{{SHORT_REPO}}/tags/list.
-
-}}*Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
+*Tags not listed in the table above are not supported. See the [Supported Tags Policy](https://github.com/dotnet/dotnet-docker/blob/main/documentation/supported-tags.md)*
 ^elif ARGS["readme-host"] = "dockerhub":
 View the current tags at the [Microsoft Artifact Registry portal](https://mcr.microsoft.com/product/{{REPO}}/tags) or on [GitHub](https://github.com/dotnet/dotnet-docker/blob/{{if isNightlyRepo:nightly^else:main}}/README.{{SHORT_REPO}}.md#full-tag-listing).
 }}}}

eng/readme-templates/Support.md

@@ -26,6 +26,7 @@
 {{ARGS["top-header"]}}## CVE Update Policy
 
 .NET container images are regularly monitored for the presence of CVEs. A given image will be rebuilt to pick up fixes for a CVE when:
+
 * We detect the image contains a CVE with a [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) score of "Critical"
 * **AND** the CVE is in a package that is added in our Dockerfile layers (meaning the CVE is in a package we explicitly install or any transitive dependencies of those packages)
 * **AND** there is a CVE fix for the package available in the affected base image's package repository.

eng/readme-templates/Use.aspire-dashboard.md

@@ -6,28 +6,28 @@
 
 The dashboard shows:
 
-- Resources that make up your app, such as .NET projects, executables and containers.
-- Live console logs of resources.
-- Live telemetry, such as structured logs, traces and metrics.
+* Resources that make up your app, such as .NET projects, executables and containers.
+* Live console logs of resources.
+* Live telemetry, such as structured logs, traces and metrics.
 
 {{ARGS["top-header"]}}# Configuration
 
 The dashboard must be configured when it is started. The configuration is done via environment variables. The following environment variables are supported:
 
-- `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to http://localhost:18888.
-- `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to http://localhost:18889.
-- `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to http://localhost:18890.
-- `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
-- `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
+* `ASPNETCORE_URLS` specifies one or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. Defaults to `http://localhost:18888`.
+* `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` specifies the [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. Defaults to `http://localhost:18889`.
+* `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` specifies the [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. Defaults to `http://localhost:18890`.
+* `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` specifies the dashboard doesn't use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`.
+* `DOTNET_DASHBOARD_CONFIG_FILE_PATH` specifies the path for an optional JSON configuration file.
 
 {{ARGS["top-header"]}}## Frontend authentication
 
 The dashboard's frontend supports OpenID Connect (OIDC). Set `Dashboard__Frontend__AuthMode` to `OpenIdConnect`, then add the following configuration:
 
-- `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
-- `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
-- `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
-- Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
+* `Authentication__Schemes__OpenIdConnect__Authority` — URL to the identity provider (IdP)
+* `Authentication__Schemes__OpenIdConnect__ClientId` — Identity of the relying party (RP)
+* `Authentication__Schemes__OpenIdConnect__ClientSecret`— A secret that only the real RP would know
+* Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication__Schemes__OpenIdConnect__*`
 
 It may also be run unsecured. Set `Dashboard__Frontend__AuthMode` to `Unsecured`. The frontend endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -39,25 +39,25 @@ For client certification authentication, set `Dashboard__Otlp__AuthMode` to `Cer
 
 For API key authentication, set `Dashboard__Otlp__AuthMode` to `ApiKey`, then add the following configuration:
 
-- `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
-- `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
+* `Dashboard__Otlp__PrimaryApiKey` specifies the primary API key. (required, string)
+* `Dashboard__Otlp__SecondaryApiKey` specifies the secondary API key. (optional, string)
 
 It may also be run unsecured. Set `Dashboard__Otlp__AuthMode` to `Unsecured`. The OTLP endpoint will allow anonymous access. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
 {{ARGS["top-header"]}}# Resources
 
-- `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
+* `Dashboard__ResourceServiceClient__Url` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
 
 The resource service client supports certificates. Set `Dashboard__ResourceServiceClient__AuthMode` to `Certificate`, then add the following configuration:
 
-- `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
-  - `File` to load the cert from a file path, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
-  - `KeyStore` to load the cert from a key store, configured with:
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
-    - `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
+* `Dashboard__ResourceServiceClient__ClientCertificate__Source` (required) one of:
+  * `File` to load the cert from a file path, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__FilePath` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Password` (optional, string)
+  * `KeyStore` to load the cert from a key store, configured with:
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Subject` (required, string)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Store` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
+    * `Dashboard__ResourceServiceClient__ClientCertificate__Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
 
 To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` to `Unsecured`. This completely disables all security for the resource service client. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
 
@@ -65,15 +65,15 @@ To opt-out of authentication, set `Dashboard__ResourceServiceClient__AuthMode` t
 
 Telemetry is stored in-memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit.
 
-- `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
-- `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
-- `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
-- `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
-- `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxLogCount` specifies the maximum number of log entries. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxTraceCount` specifies the maximum number of traces. Defaults to 10,000.
+* `Dashboard__TelemetryLimits__MaxMetricsCount` specifies the maximum number of metric data points. Defaults to 50,000.
+* `Dashboard__TelemetryLimits__MaxAttributeCount` specifies the maximum number of attributes on telemetry. Defaults to 128.
+* `Dashboard__TelemetryLimits__MaxAttributeLength` specifies the maximum length of attributes. Defaults to unlimited.
+* `Dashboard__TelemetryLimits__MaxSpanEventCount` specifies the maximum number of events on span attributes. Defaults to unlimited.
 
 Limits are per-resource. For example, a `MaxLogCount` value of 10,000 configures the dashboard to store up to 10,000 log entries per-resource.
 
 {{ARGS["top-header"]}}# Other
 
-- `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.
+* `Dashboard__ApplicationName` specifies the application name to be displayed in the UI. This applies only when no resource service URL is specified. When a resource service exists, the service specifies the application name.

samples/aspnetapp/README.md

@@ -2,7 +2,8 @@
 
 This sample demonstrates how to build container images for ASP.NET Core web apps. See [.NET Docker Samples](../README.md) for more samples.
 
-> Note: .NET 8 container images use port `8080`, by default. Previous .NET versions used port `80`. The instructions for the sample assume the use of port `8080`.
+> [!NOTE]
+> .NET 8 container images use port `8080`, by default. Previous .NET versions used port `80`. The instructions for the sample assume the use of port `8080`.
 
 ## Run the sample image
 
@@ -39,7 +40,8 @@ Supported with .NET Core 1.0+
 ASPNETCORE_URLS=http://+:80 
 ```
 
-Note: `ASPNETCORE_URLS` overwrites `ASPNETCORE_HTTP_PORTS` if set.
+> [!NOTE]
+> `ASPNETCORE_URLS` overwrites `ASPNETCORE_HTTP_PORTS` if set.
 
 These environment variables are used in [.NET 8](https://github.com/dotnet/dotnet-docker/blob/6da64f31944bb16ecde5495b6a53fc170fbe100d/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile#L7C5-L7C31) and [.NET 6](https://github.com/dotnet/dotnet-docker/blob/6da64f31944bb16ecde5495b6a53fc170fbe100d/src/runtime-deps/6.0/bookworm-slim/amd64/Dockerfile#L5) Dockerfiles, respectively.
 
@@ -64,7 +66,8 @@ info: Microsoft.Hosting.Lifetime[0]
 
 After the application starts, navigate to `http://localhost:8000` in your web browser. You can also view the ASP.NET Core site running in the container from another machine with a local IP address such as `http://192.168.1.18:8000`.
 
-> Note: ASP.NET Core apps (in official images) listen to [port 8080 by default](https://github.com/dotnet/dotnet-docker/blob/6da64f31944bb16ecde5495b6a53fc170fbe100d/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile#L7), starting with .NET 8. The [`-p` argument](https://docs.docker.com/engine/reference/commandline/run/#publish) in these examples maps host port `8000` to container port `8080` (`host:container` mapping). The container will not be accessible without this mapping. ASP.NET Core can be [configured to listen on a different or additional port](https://learn.microsoft.com/aspnet/core/fundamentals/servers/kestrel/endpoints).
+> [!NOTE]
+> ASP.NET Core apps (in official images) listen to [port 8080 by default](https://github.com/dotnet/dotnet-docker/blob/6da64f31944bb16ecde5495b6a53fc170fbe100d/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile#L7), starting with .NET 8. The [`-p` argument](https://docs.docker.com/engine/reference/commandline/run/#publish) in these examples maps host port `8000` to container port `8080` (`host:container` mapping). The container will not be accessible without this mapping. ASP.NET Core can be [configured to listen on a different or additional port](https://learn.microsoft.com/aspnet/core/fundamentals/servers/kestrel/endpoints).
 
 You can see the app running via `docker ps`.
 

samples/build-for-a-platform.md

@@ -79,7 +79,8 @@ The `--platform` argument is the best way to specify the desired architecture. T
 
 In addition, Docker [Buildkit exposes multiple environment variables](https://github.com/dotnet/dotnet-docker/pull/4387#issuecomment-1416565213) that can be used to further conditionalize behavior. These environment variables can be controlled with the pattern demonstrated in [Dockerfile](https://github.com/mthalman/dredge/blob/main/src/Valleysoft.Dredge/Dockerfile). As mentioned, .NET doesn't support being run in emulation. The pattern in that Dockerfile results in the SDK always being run natively while the final image is affected by the `--platform` switch. This model also has the best performance since the bulk of computation is run natively.
 
-Note: We are enabling the following model in a future release: https://github.com/dotnet/dotnet-docker/issues/4388#issuecomment-1421401384.
+> [!NOTE]
+> We are enabling this [model](https://github.com/dotnet/dotnet-docker/issues/4388#issuecomment-1421401384) in a future release.
 
 ## .NET and QEMU
 
@@ -87,4 +88,4 @@ Docker Desktop uses [QEMU](https://www.qemu.org/) for emulation, for example run
 
 As a result, we need a reliable pattern that can produce multiple variants of images on one machine, but that doesn't use emulation. That's what this document describes.
 
-Context: https://gitlab.com/qemu-project/qemu/-/issues/249 
+> [QEMU context](https://gitlab.com/qemu-project/qemu/-/issues/249)

samples/build-in-sdk-container.md

@@ -41,8 +41,8 @@ You can see the built binaries with the following command:
 
 ```console
 % ls out
-dotnetapp			dotnetapp.pdb
-dotnetapp.deps.json		dotnetapp.runtimeconfig.json
+dotnetapp                       dotnetapp.pdb
+dotnetapp.deps.json             dotnetapp.runtimeconfig.json
 dotnetapp.dll
 ```
 
@@ -114,8 +114,8 @@ You can see the built binaries with the following command:
 
 ```console
 > ls ~/dotnetapp
-dotnetapp			dotnetapp.pdb
-dotnetapp.deps.json		dotnetapp.runtimeconfig.json
+dotnetapp                       dotnetapp.pdb
+dotnetapp.deps.json             dotnetapp.runtimeconfig.json
 dotnetapp.dll
 ```
 

samples/complexapp/README.md

@@ -45,7 +45,8 @@ There are two primary ways to test within the workflow of an application contain
 
 This is different than running tests within a [.NET SDK container](../run-tests-in-sdk-container.md), which establishes a generic environment (which also works well). The rest of this document is focused on running tests within the same container environment as the application.
 
-> Note: See [Establishing docker environment](../establishing-docker-environment.md) for more information on correctly configuring Dockerfiles and `docker build` commands.
+> [!NOTE]
+> See [Establishing docker environment](../establishing-docker-environment.md) for more information on correctly configuring Dockerfiles and `docker build` commands.
 
 ## Running tests as an opt-in stage
 

samples/deploy-container-to-aci.md

@@ -18,7 +18,8 @@ docker build --pull -t aspnetapp -f Dockerfile .
 
 Create an ACR registry per the instructions at [Push Docker Images to Azure Container Registry](push-image-to-acr.md). The following is a summarized version of those instructions.
 
-> Note: Change the password location and the user account ("rich" and "richlander") example values in your environment.
+> [!NOTE]
+> Change the password location and the user account ("rich" and "richlander") example values in your environment.
 
 ```console
 az login

samples/enable-globalization.md

@@ -30,12 +30,12 @@ Some users want to add ICU to one of the image types that doesn't include it. It
 
 When using `Microsoft.Data.SqlClient` or Entity Framework Core without ICU installed, the following exception may be thrown when attempting to connect to a database:
 
-```
+```text
 System.Globalization.CultureNotFoundException: Only the invariant culture is supported in globalization-invariant mode. See https://aka.ms/GlobalizationInvariantMode for more information. (Parameter 'name')
 en-us is an invalid culture identifier.
 ```
 
-This is by design. `Microsoft.Data.SqlClient` requires ICU to be installed. See https://github.com/dotnet/SqlClient/issues/220 for more information.
+This is by design. `Microsoft.Data.SqlClient` requires ICU to be installed. See this [Sql Client issue](https://github.com/dotnet/SqlClient/issues/220) for more information.
 
 ### Alpine images
 
@@ -54,7 +54,7 @@ RUN apk add --no-cache \
 
 ### Ubuntu chiseled images
 
-ICU can be added to an Ubuntu chiseled image, as demonstrated by https://github.com/ubuntu-rocks/dotnet/issues/21.
+ICU can be added to an Ubuntu chiseled image, as demonstrated in this [chisel issue](https://github.com/ubuntu-rocks/dotnet/issues/21).
 
 ## Tzdata
 

samples/host-aspnetcore-https.md

@@ -59,10 +59,9 @@ dotnet dev-certs https --trust
 ```
 
 > [!NOTE]
-> `dotnet dev-certs https --trust` is only supported on macOS and Windows. You need to trust certs on Linux in the way that is supported by your distro. It is likely that you need to trust the certificate in your browser.
-
-> [!NOTE]
-> `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
+>
+> - `dotnet dev-certs https --trust` is only supported on macOS and Windows. You need to trust certs on Linux in the way that is supported by your distro. It is likely that you need to trust the certificate in your browser.
+> - `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
 
 Run the container image with ASP.NET Core configured for HTTPS:
 

samples/kubernetes/dotnet-monitor/README.md

@@ -22,7 +22,7 @@ Create a proxy to the service, on all three ports.
 kubectl port-forward service/dotnet-monitor 8080 52323 52325
 ```
 
-View the sample app at http://localhost:8080/ or call `curl http://localhost:8080/Environment`.
+View the sample app at `http://localhost:8080/` or call `curl http://localhost:8080/Environment`.
 
 You can query the app.
 

samples/kubernetes/graceful-shutdown/README.md

@@ -33,8 +33,8 @@ Test the pattern with a single replica deployment. This test requires multiple t
 First terminal:
 
 ```bash
-$ kubectl apply -f https://raw.githubusercontent.com/dotnet/dotnet-docker/main/samples/kubernetes/hello-dotnet/hello-dotnet.yaml
-$ kubectl port-forward service/hello-dotnet 8080:80
+kubectl apply -f https://raw.githubusercontent.com/dotnet/dotnet-docker/main/samples/kubernetes/hello-dotnet/hello-dotnet.yaml
+kubectl port-forward service/hello-dotnet 8080:80
 ```
 
 Second terminal:

samples/kubernetes/graceful-shutdown/graceful-shutdown.md

@@ -107,7 +107,8 @@ public class DelayedShutdownHostLifetime : IHostLifetime, IDisposable
 }
 ```
 
-> Note: do not confuse `IHostLifetime` with `IHostApplicationLifetime`--they are related, but different interfaces. It is the `IHostLifetime` instance that listens for signals, including `SIGTERM`, and once a signal arrives, it calls into `IHostApplicationLifetime` instance to orchestrate application shutdown. For more information see [generic host shutdown documentation](https://learn.microsoft.com/dotnet/core/extensions/generic-host#host-shutdown)
+> [!NOTE]
+> Do not confuse `IHostLifetime` with `IHostApplicationLifetime`--they are related, but different interfaces. It is the `IHostLifetime` instance that listens for signals, including `SIGTERM`, and once a signal arrives, it calls into `IHostApplicationLifetime` instance to orchestrate application shutdown. For more information see [generic host shutdown documentation](https://learn.microsoft.com/dotnet/core/extensions/generic-host#host-shutdown)
 
 Make ASP.NET use `DelayedShutdownHostLifetime` by adding it to the dependency injection container:
 

samples/kubernetes/hello-dotnet/README.md

@@ -15,7 +15,7 @@ Forwarding from 127.0.0.1:8080 -> 8080
 Forwarding from [::1]:8080 -> 8080
 ```
 
-View the sample app at http://localhost:8080/ and call `curl http://localhost:8080/Environment`.
+View the sample app at `http://localhost:8080/` and call `curl http://localhost:8080/Environment`.
 
 ```bash
 $ curl http://localhost:8080/Environment 

samples/kubernetes/manual-deployment/README.md

@@ -25,7 +25,7 @@ Create a proxy to the service.
 kubectl port-forward service/dotnet-app 8080:8080
 ```
 
-View the sample app at http://localhost:8080/ or call `curl http://localhost:8080/Environment`.
+View the sample app at `http://localhost:8080/` or call `curl http://localhost:8080/Environment`.
 
 Should look like:
 

samples/kubernetes/replicas-and-health/README.md

@@ -67,7 +67,7 @@ Create a proxy to the service.
 kubectl port-forward service/dotnet-replica-health 8080
 ```
 
-View the sample app at http://localhost:8080/ or call `curl http://localhost:8080/Environment`.
+View the sample app at `http://localhost:8080/` or call `curl http://localhost:8080/Environment`.
 
 You can call the `healthz` endpoint to test the liveness probe.
 

samples/kubernetes/resource-limits/README.md

@@ -41,7 +41,7 @@ Create a proxy to the service.
 kubectl port-forward service/dotnet-resource-limits 8080
 ```
 
-View the sample app at http://localhost:8080/ or call `curl http://localhost:8080/Environment`. You can see memory and CPU usage displayed. CPU is reported as an integer and always rounded up to the next whole integer (for example, `0.25` is rounded up to `1`).
+View the sample app at `http://localhost:8080/` or call `curl http://localhost:8080/Environment`. You can see memory and CPU usage displayed. CPU is reported as an integer and always rounded up to the next whole integer (for example, `0.25` is rounded up to `1`).
 
 ```bash
 % curl http://localhost:8080/Environment

samples/push-image-to-acr.md

@@ -26,7 +26,8 @@ docker run --rm dotnetapp
 
 The following example demonstrates how to create a private ACR Registry. Once an image is in ACR, it is easy to deploy it to ACI.
 
-> Note: The instructions use example values that need to be changed to for your environment, specifically the password location, and the user account. More simply, make sure to change "rich" and "richlander" to something else.
+> [!NOTE]
+> The instructions use example values that need to be changed to for your environment, specifically the password location, and the user account. More simply, make sure to change "rich" and "richlander" to something else.
 
 ```console
 az login

samples/push-image-to-dockerhub.md

@@ -34,7 +34,8 @@ You need to [login to Docker Hub](https://docs.docker.com/docker-hub/accounts/)
 
 There are a couple ways of passing a password to `docker login`. These instructions [pass the password to stdin](https://github.com/docker/cli/pull/218) via a text file called password-dh.txt. Make sure to save to a location not managed by source control (to avoid accidental disclosure).
 
-> Note: The instructions use example values that need to be changed to for your environment, specifically the password location, and the user account. More simply, make sure to change "rich" and "richlander" to something else.
+> [!NOTE]
+> The instructions use example values that need to be changed to for your environment, specifically the password location, and the user account. More simply, make sure to change "rich" and "richlander" to something else.
 
 Login on Windows:
 

samples/releasesapi/README.md

@@ -1,8 +1,9 @@
 # Release Json Report API
 
-This app demonstrates publishing an app as [native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot/) in containers. 
+This app demonstrates publishing an app as [native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot/) in containers.
 
-> Note: The base images used by this sample are in preview.
+> [!NOTE]
+> The base images used by this sample are in preview.
 
 A similar console app sample supports [single file deployment](../releasesapp/README.md) (non-AOT scenario). This app could also be deployed that way.
 
@@ -22,7 +23,7 @@ It exposes two endpoints:
 
 ## App
 
-The app is intended as a sort of compliance report for .NET. The report includes supported major releases and those recently out of support. It includes the latest and latest security patch versions for each of those major releases. 
+The app is intended as a sort of compliance report for .NET. The report includes supported major releases and those recently out of support. It includes the latest and latest security patch versions for each of those major releases.
 
 This same information is available from the [release JSON](https://github.com/dotnet/core/blob/main/release-notes/releases-index.json) files that the team maintains, but that requires a bit of code to provide the same report.
 

samples/releasesapp/README.md

@@ -13,11 +13,11 @@ docker build --pull -t app .
 docker run --rm app
 ```
 
-It will produce output similar to: https://gist.github.com/richlander/4701a33592abd021f767644974c0ced6
+It will produce output similar to this [example app output](https://gist.github.com/richlander/4701a33592abd021f767644974c0ced6).
 
 ## App
 
-The app is intended as a sort of compliance report for .NET. The report includes supported major releases and those recently out of support. It includes the latest and latest security patch versions for each of those major releases. 
+The app is intended as a sort of compliance report for .NET. The report includes supported major releases and those recently out of support. It includes the latest and latest security patch versions for each of those major releases.
 
 This same information is available from the [release JSON](https://github.com/dotnet/core/blob/main/release-notes/releases-index.json) files that the team maintains, but that requires a bit of code to provide the same report.
 

samples/run-aspnetcore-https-development.md

@@ -36,13 +36,15 @@ You can add the element manually or use Visual Studio to do it for you. The foll
 
 The format of the `UserSecretsId` content doesn't matter. The sample in this repo used [Random String Generator](https://www.random.org/strings/?num=6&len=20&digits=on&unique=on&format=html&rnd=new) to produce a unique string.
 
-> Note: `User Secrets` and `Application Secrets` terms are used interchangebly.
+> [!NOTE]
+> `User Secrets` and `Application Secrets` terms are used interchangebly.
 
 ## Building and Running the Sample with HTTPS
 
 Use the following instructions, for your operating system configuration. The commands assume that you are in the root of the repository.
 
-> Note: The sample includes a banner to accept a cookie policy. When switching between HTTP and HTTPS, you may see the banner repeatedly. Delete the cookie for the site in `Developer Tools` in this case.
+> [!NOTE]
+> The sample includes a banner to accept a cookie policy. When switching between HTTP and HTTPS, you may see the banner repeatedly. Delete the cookie for the site in `Developer Tools` in this case.
 
 ![Developer Tools -- Delete cookie](https://user-images.githubusercontent.com/2608468/40246148-875fee5a-5a7c-11e8-9728-7da89a491014.png)
 
@@ -65,11 +67,11 @@ dotnet dev-certs https -ep $env:USERPROFILE\.aspnet\https\aspnetapp.pfx -p <CRED
 dotnet dev-certs https --trust
 ```
 
-> Note: The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
-
-> Note: `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
-
-> Note: If console returns "A valid HTTPS certificate is already present.", a trusted certificate already exists in your store. It can be exported using MMC Console.
+> [!NOTE]
+>
+> - The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
+> - `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
+> - If console returns "A valid HTTPS certificate is already present.", a trusted certificate already exists in your store. It can be exported using MMC Console.
 
 Configure application secrets, for the certificate:
 
@@ -78,7 +80,8 @@ dotnet user-secrets init -p aspnetapp\aspnetapp.csproj
 dotnet user-secrets -p aspnetapp\aspnetapp.csproj set "Kestrel:Certificates:Development:Password" "<CREDENTIAL_PLACEHOLDER>"
 ```
 
-> Note: The password must match the password used for the certificate.
+> [!NOTE]
+> The password must match the password used for the certificate.
 
 Build a container image:
 
@@ -107,9 +110,10 @@ dotnet dev-certs https -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p <CREDENTIAL_PL
 dotnet dev-certs https --trust
 ```
 
-> Note: The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
-
-> Note: `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
+> [!NOTE]
+>
+> - The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
+> - `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
 
 Configure application secrets, for the certificate:
 
@@ -118,7 +122,8 @@ dotnet user-secrets init -p aspnetapp/aspnetapp.csproj
 dotnet user-secrets -p aspnetapp/aspnetapp.csproj set "Kestrel:Certificates:Development:Password" "<CREDENTIAL_PLACEHOLDER>"
 ```
 
-> Note: The password must match the password used for the certificate.
+> [!NOTE]
+> The password must match the password used for the certificate.
 
 Build a container image:
 
@@ -146,11 +151,11 @@ Generate cert and configure local machine:
 dotnet dev-certs https -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p <CREDENTIAL_PLACEHOLDER>
 ```
 
-> Note: `dotnet dev-certs https --trust` is only supported on macOS and Windows. You need to trust certs on Linux in the way that is supported by your distro. It is likely that you need to trust the certificate in your browser.
-
-> Note: The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
-
-> Note: `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
+> [!NOTE]
+>
+> - `dotnet dev-certs https --trust` is only supported on macOS and Windows. You need to trust certs on Linux in the way that is supported by your distro. It is likely that you need to trust the certificate in your browser.
+> - The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
+> - `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
 
 Configure application secrets, for the certificate:
 
@@ -190,11 +195,11 @@ dotnet dev-certs https -ep $env:USERPROFILE\.aspnet\https\aspnetapp.pfx -p <CRED
 dotnet dev-certs https --trust
 ```
 
-> Note: The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
-
-> Note: `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
-
-> Note: If console returns "A valid HTTPS certificate is already present.", a trusted certificate already exists in your store. It can be exported using MMC Console.
+> [!NOTE]
+>
+> - The certificate name, in this case *aspnetapp*.pfx must match the project assembly name.
+> - `<CREDENTIAL_PLACEHOLDER>` is used as a stand-in for a password of your own choosing.
+> - If console returns "A valid HTTPS certificate is already present.", a trusted certificate already exists in your store. It can be exported using MMC Console.
 
 Configure application secrets, for the certificate:
 
@@ -203,7 +208,8 @@ dotnet user-secrets init -p aspnetapp/aspnetapp.csproj
 dotnet user-secrets -p aspnetapp\aspnetapp.csproj set "Kestrel:Certificates:Development:Password" "<CREDENTIAL_PLACEHOLDER>"
 ```
 
-> Note: The password must match the password used for the certificate.
+> [!NOTE]
+> The password must match the password used for the certificate.
 
 Build a container image:
 
@@ -219,5 +225,4 @@ docker run --rm -it -p 8001:8001 -e ASPNETCORE_HTTPS_PORTS=8001 -e ASPNETCORE_EN
 
 After the application starts, navigate to `https://localhost:8001` in your web browser.
 
-> In the case of using https, be sure to check the certificate you're using is trusted on the host. You can start with navigating to https://localhost:8001 in the browser. If you're looking to test https with a domain name (e.g. https://contoso.com:8001), the certificate would also need the appropiate Subject Alternative Name included, and the DNS settings on the host would need to be updated. In the case of using the generated dev certificate, the trusted certificate will be issued from localhost and will not have the SAN added.
-
+> In the case of using https, be sure to check the certificate you're using is trusted on the host. You can start with navigating to `https://localhost:8001` in the browser. If you're looking to test https with a domain name (e.g. `https://contoso.com:8001`), the certificate would also need the appropiate Subject Alternative Name included, and the DNS settings on the host would need to be updated. In the case of using the generated dev certificate, the trusted certificate will be issued from localhost and will not have the SAN added.

samples/run-in-sdk-container.md

@@ -18,7 +18,8 @@ Container scenarios that use volume mounting can produce conflicts between the `
 curl -o Directory.Build.props https://raw.githubusercontent.com/dotnet/dotnet-docker/main/samples/Directory.Build.props
 ```
 
-> Note: You may need to remove `bin` and `obj` directories if you run these instructions on Windows in both Windows and Linux container modes.
+> [!NOTE]
+> You may need to remove `bin` and `obj` directories if you run these instructions on Windows in both Windows and Linux container modes.
 
 ## Console app
 
@@ -52,13 +53,13 @@ You can test this working by simply editing [Program.cs](dotnetapp/Program.cs).
 
 The following instructions demonstrate this scenario in various environments.
 
-## Linux or macOS
+### Linux or macOS
 
 ```console
 docker run --rm -it -v $(pwd):/app/ -w /app mcr.microsoft.com/dotnet/sdk:8.0 dotnet run
 ```
 
-## Windows using Linux containers
+### Windows using Linux containers
 
 This example uses PowerShell.
 
@@ -66,7 +67,7 @@ This example uses PowerShell.
 docker run --rm -it -v ${pwd}:/app/ -w /app mcr.microsoft.com/dotnet/sdk:8.0 dotnet run
 ```
 
-## Windows using Windows containers
+### Windows using Windows containers
 
 This example uses PowerShell.
 
@@ -95,7 +96,8 @@ info: Microsoft.Hosting.Lifetime[0]
 
 You can use CTRL-C to terminate `dotnet run`. After the application starts, navigate to `http://localhost:8000` in your web browser.
 
-> Note: This example (and those in the instructions that follow) configure ASP.NET Core via environment variables and disable the use of a launch profile (none of the launch profiles are compatible with this scenario). Instructions are provided later in this document that add and use a new launch profile, which removes the need for specifying environment variables with the Docker CLI.
+> [!NOTE]
+> This example (and those in the instructions that follow) configure ASP.NET Core via environment variables and disable the use of a launch profile (none of the launch profiles are compatible with this scenario). Instructions are provided later in this document that add and use a new launch profile, which removes the need for specifying environment variables with the Docker CLI.
 
 The following instructions demonstrate this scenario in various environments:
 
@@ -121,7 +123,7 @@ This example uses PowerShell.
 docker run --rm -it -p 8000:8080 -v ${pwd}:C:\app\ -w \app -e ASPNETCORE_HTTP_URLS=8080 -e ASPNETCORE_ENVIRONMENT=Development mcr.microsoft.com/dotnet/sdk:8.0 dotnet run --no-launch-profile
 ```
 
-### Using a launch profile to configure ASP.NET Core
+## Using a launch profile to configure ASP.NET Core
 
 The examples above use environment variables to configure ASP.NET Core. You can instead [configure ASP.NET Core with a launchSettings.json file](https://docs.microsoft.com/aspnet/core/fundamentals/environments). The [launchSettings.json file](aspnetapp/aspnetapp/Properties/launchSettings.json) in this app has been updated with a `container` profile that can be used instead of specifying environment variables with the docker CLI.
 

samples/run-tests-in-sdk-container.md

@@ -22,7 +22,8 @@ Container scenarios that use volume mounting can produce conflicts between the `
 curl -o Directory.Build.props https://raw.githubusercontent.com/dotnet/dotnet-docker/main/samples/Directory.Build.props
 ```
 
-> Note: You may need to remove `bin` and `obj` directories if you run these instructions on Windows in both Windows and Linux container modes.
+> [!NOTE]
+> You may need to remove `bin` and `obj` directories if you run these instructions on Windows in both Windows and Linux container modes.
 
 ## Running tests