Skip to content

Commit 95ba1c3

Browse files
gladjohnCopilot
andcommitted
Add MSAL.NET Release Agent and post-release automation
- Add master AGENTS.md for MSAL.NET agent orchestration - Add Release Agent (.github/agents/release/AGENT.md) with: - 5 pre-release validation checks (signing, warnings, TSA, CG, SDL) - Pipeline variable documentation - Post-release automation flow - Known flaky test documentation - Add post-release GitHub Action (.github/workflows/post-release.yml): - Generates release report in build/release-logs/ - Moves PublicAPI.Unshipped → Shipped - Closes GitHub milestone - Creates GitHub Release from CHANGELOG.md - Notifies Teams release channel - Creates single post-release summary PR - Add build/release-logs/README.md - Add indefinite build retention via ADO retention lease Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 3fd093c commit 95ba1c3

4 files changed

Lines changed: 528 additions & 0 deletions

File tree

.github/agents/release/AGENT.md

Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
# MSAL.NET Release Agent
2+
3+
## Purpose
4+
5+
Automates the MSAL.NET release process end-to-end — from queuing the OneBranch pipeline through NuGet publish to post-release cleanup. Replaces the manual spreadsheet checklist with automated checks and a permanent release report.
6+
7+
## Quick Start
8+
9+
Tell Copilot:
10+
```
11+
"Release MSAL"
12+
```
13+
14+
The agent will:
15+
1. Ask you for the **version number** (e.g., `4.85.0`)
16+
2. Queue the OneBranch release pipeline with the correct variables
17+
3. Run pre-release validation checks
18+
4. Wait for your manual approval before NuGet publish
19+
5. Generate a release report and create a post-release PR
20+
21+
## Release Flow
22+
23+
```
24+
┌─────────────────────────────────────────────────────────────┐
25+
│ MSAL Release Agent │
26+
├─────────────────────────────────────────────────────────────┤
27+
│ │
28+
│ 1. TRIGGER │
29+
│ Agent asks: "What version are you releasing?" │
30+
│ Sets variables and queues ADO pipeline │
31+
│ │
32+
│ 2. PRE-RELEASE VALIDATION (automated) │
33+
│ ✓ Package signing verification (7 packages) │
34+
│ ✓ Build warnings audit │
35+
│ ✓ TSA security bugs check │
36+
│ ✓ Component Governance alerts check │
37+
│ ✓ SDL/Compliance tasks check │
38+
│ │
39+
│ 3. APPROVAL GATE (manual) │
40+
│ Engineer reviews pre-release report │
41+
│ Approves NuGet + IDDP publish │
42+
│ │
43+
│ 4. PUBLISH (automated) │
44+
│ NuGet push (7 packages) │
45+
│ IDDP feed push │
46+
│ Build retention lease (indefinite) │
47+
│ │
48+
│ 5. POST-RELEASE (automated) │
49+
│ Create release report: build/release-logs/ │
50+
│ Move PublicAPI.Unshipped → Shipped │
51+
│ Close GitHub milestone │
52+
│ Create GitHub Release │
53+
│ Notify Teams release channel │
54+
│ Create post-release summary PR │
55+
│ │
56+
└─────────────────────────────────────────────────────────────┘
57+
```
58+
59+
## Pipeline Variables
60+
61+
When the agent queues the OneBranch pipeline, it sets these variables:
62+
63+
| Variable | Value | Behavior |
64+
|----------|-------|----------|
65+
| `MicrosoftIdentityClientVersion` | *(user-provided)* | The version to release |
66+
| `Release.IDDP` | `true` | Always set — publish to IDDP feed |
67+
| `Release.NuGet` | `true` | Always set — publish to NuGet.org |
68+
69+
All other variables use their pipeline defaults:
70+
71+
| Variable | Default |
72+
|----------|---------|
73+
| `MsalSourceDir` | `microsoft-authentication-library-for-dotnet\` |
74+
| `PipelineType` | `OneBranch` |
75+
| `MSAL_SKIP_FEDERATED_TESTS` | `True` |
76+
| `LabApiVersion` | `2.0.0` |
77+
| `approvers` | `IdentityDevExDotnet@microsoft.com` |
78+
| `BuildConfig` | `configurations-prod` |
79+
| `INCLUDE_MOBILE_AND_LEGACY_TFM` | `True` |
80+
81+
## Pre-Release Checks
82+
83+
Five automated checks run before the release is approved:
84+
85+
### 1. Package Signing Verification
86+
87+
Runs `nuget verify --all` on each .nupkg to confirm authenticode + NuGet signing.
88+
89+
**Packages verified:**
90+
- `Microsoft.Identity.Client`
91+
- `Microsoft.Identity.Client.Desktop`
92+
- `Microsoft.Identity.Client.Broker`
93+
- `Microsoft.Identity.Client.Desktop.WinUI3`
94+
- `Microsoft.Identity.Client.KeyAttestation`
95+
- `Microsoft.Identity.Client.Extensions.Msal`
96+
- `Microsoft.Identity.Lab.Api`
97+
98+
### 2. Build Warnings Audit
99+
100+
Parses the ADO build timeline via REST API. Filters out known-safe warnings:
101+
- `"Using Node 20 for container startup"` — infra, safe
102+
- `"No files found for tool: binskim"` — no native binaries, expected
103+
- `"updaterepositorypath not allowed"` — policy, safe
104+
- Warnings from `DevApp`, `Test` stages — ignored
105+
106+
Flags any **unexpected** product-code warnings.
107+
108+
### 3. TSA Security Bugs
109+
110+
Queries the [TSA API](https://tsaapivnext.azurewebsites.net/Result/CodeBase/MSAL%20.NET%20AUTH%20SDK/Summary) for active bugs in the `MSAL .NET AUTH SDK` codebase. **Blocks release** if any Critical or Important bugs are active.
111+
112+
### 4. Component Governance Alerts
113+
114+
Queries the [ADO Component Governance API](https://identitydivision.visualstudio.com/IDDP/_componentGovernance/98561) for active alerts (alert type 12724953). **Blocks release** if active alerts exist.
115+
116+
### 5. SDL / Compliance
117+
118+
Verifies all OneBranch SDL pipeline tasks completed successfully:
119+
- CredScan
120+
- PoliCheck
121+
- BinSkim (may be skipped — no native binaries)
122+
- CodeQL
123+
- Roslyn Analyzers
124+
- API Scan
125+
126+
## Post-Release Actions
127+
128+
After successful NuGet publish:
129+
130+
### Build Retention
131+
Adds an ADO retention lease (`daysValid: 36500` ≈ indefinite) so the release build and its artifacts are never deleted by ADO cleanup policies.
132+
133+
### Release Report
134+
Generates a markdown report at `build/release-logs/release-{version}.md` containing:
135+
- Pre-release check results
136+
- Packages published (with versions)
137+
- Build links
138+
- Post-release task status
139+
140+
### Post-Release Summary PR
141+
Creates a single PR that includes:
142+
- The release report file
143+
- `PublicAPI.Unshipped.txt``PublicAPI.Shipped.txt` updates
144+
145+
### Other Automated Tasks
146+
- Close the GitHub milestone matching the version
147+
- Create a GitHub Release with notes extracted from `CHANGELOG.md`
148+
- Post a notification to the Teams release channel
149+
150+
## Known Issues & Flaky Tests
151+
152+
Some tests may fail intermittently during the build:
153+
154+
| Test Area | Issue | Resolution |
155+
|-----------|-------|------------|
156+
| Linux integration tests | Network-dependent, flaky | Re-run the test stage |
157+
| Federated tests | Environment-dependent | Skipped via `MSAL_SKIP_FEDERATED_TESTS=True` |
158+
| Network isolation warnings | OneBranch infra | Safe to ignore |
159+
160+
## Related Links
161+
162+
- **OneBranch Pipeline:** [MSAL.NET-OneBranch-Release-Official](https://identitydivision.visualstudio.com/IDDP/_build?definitionId=1545)
163+
- **GitHub Repo:** [AzureAD/microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)
164+
- **ADO Repo:** [IDDP/MSAL.NET-OneBranch](https://identitydivision.visualstudio.com/IDDP/_git/MSAL.NET-OneBranch)
165+
- **TSA Dashboard:** [MSAL .NET AUTH SDK](https://tsaapivnext.azurewebsites.net/Result/CodeBase/MSAL%20.NET%20AUTH%20SDK/Summary)
166+
- **Component Governance:** [IDDP CG Alerts](https://identitydivision.visualstudio.com/IDDP/_componentGovernance/98561?_a=alerts&typeId=12724953&alerts-view-option=active)
167+
- **NuGet:** [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)

0 commit comments

Comments
 (0)