|
| 1 | +# MSAL.NET Release Agent |
| 2 | + |
| 3 | +## Purpose |
| 4 | + |
| 5 | +Automates the MSAL.NET release process end-to-end — from queuing the OneBranch pipeline through NuGet publish to post-release cleanup. Replaces the manual spreadsheet checklist with automated checks and a permanent release report. |
| 6 | + |
| 7 | +## Quick Start |
| 8 | + |
| 9 | +Tell Copilot: |
| 10 | +``` |
| 11 | +"Release MSAL" |
| 12 | +``` |
| 13 | + |
| 14 | +The agent will: |
| 15 | +1. Ask you for the **version number** (e.g., `4.85.0`) |
| 16 | +2. Queue the OneBranch release pipeline with the correct variables |
| 17 | +3. Run pre-release validation checks |
| 18 | +4. Wait for your manual approval before NuGet publish |
| 19 | +5. Generate a release report and create a post-release PR |
| 20 | + |
| 21 | +## Release Flow |
| 22 | + |
| 23 | +``` |
| 24 | +┌─────────────────────────────────────────────────────────────┐ |
| 25 | +│ MSAL Release Agent │ |
| 26 | +├─────────────────────────────────────────────────────────────┤ |
| 27 | +│ │ |
| 28 | +│ 1. TRIGGER │ |
| 29 | +│ Agent asks: "What version are you releasing?" │ |
| 30 | +│ Sets variables and queues ADO pipeline │ |
| 31 | +│ │ |
| 32 | +│ 2. PRE-RELEASE VALIDATION (automated) │ |
| 33 | +│ ✓ Package signing verification (7 packages) │ |
| 34 | +│ ✓ Build warnings audit │ |
| 35 | +│ ✓ TSA security bugs check │ |
| 36 | +│ ✓ Component Governance alerts check │ |
| 37 | +│ ✓ SDL/Compliance tasks check │ |
| 38 | +│ │ |
| 39 | +│ 3. APPROVAL GATE (manual) │ |
| 40 | +│ Engineer reviews pre-release report │ |
| 41 | +│ Approves NuGet + IDDP publish │ |
| 42 | +│ │ |
| 43 | +│ 4. PUBLISH (automated) │ |
| 44 | +│ NuGet push (7 packages) │ |
| 45 | +│ IDDP feed push │ |
| 46 | +│ Build retention lease (indefinite) │ |
| 47 | +│ │ |
| 48 | +│ 5. POST-RELEASE (automated) │ |
| 49 | +│ Create release report: build/release-logs/ │ |
| 50 | +│ Move PublicAPI.Unshipped → Shipped │ |
| 51 | +│ Close GitHub milestone │ |
| 52 | +│ Create GitHub Release │ |
| 53 | +│ Notify Teams release channel │ |
| 54 | +│ Create post-release summary PR │ |
| 55 | +│ │ |
| 56 | +└─────────────────────────────────────────────────────────────┘ |
| 57 | +``` |
| 58 | + |
| 59 | +## Pipeline Variables |
| 60 | + |
| 61 | +When the agent queues the OneBranch pipeline, it sets these variables: |
| 62 | + |
| 63 | +| Variable | Value | Behavior | |
| 64 | +|----------|-------|----------| |
| 65 | +| `MicrosoftIdentityClientVersion` | *(user-provided)* | The version to release | |
| 66 | +| `Release.IDDP` | `true` | Always set — publish to IDDP feed | |
| 67 | +| `Release.NuGet` | `true` | Always set — publish to NuGet.org | |
| 68 | + |
| 69 | +All other variables use their pipeline defaults: |
| 70 | + |
| 71 | +| Variable | Default | |
| 72 | +|----------|---------| |
| 73 | +| `MsalSourceDir` | `microsoft-authentication-library-for-dotnet\` | |
| 74 | +| `PipelineType` | `OneBranch` | |
| 75 | +| `MSAL_SKIP_FEDERATED_TESTS` | `True` | |
| 76 | +| `LabApiVersion` | `2.0.0` | |
| 77 | +| `approvers` | `IdentityDevExDotnet@microsoft.com` | |
| 78 | +| `BuildConfig` | `configurations-prod` | |
| 79 | +| `INCLUDE_MOBILE_AND_LEGACY_TFM` | `True` | |
| 80 | + |
| 81 | +## Pre-Release Checks |
| 82 | + |
| 83 | +Five automated checks run before the release is approved: |
| 84 | + |
| 85 | +### 1. Package Signing Verification |
| 86 | + |
| 87 | +Runs `nuget verify --all` on each .nupkg to confirm authenticode + NuGet signing. |
| 88 | + |
| 89 | +**Packages verified:** |
| 90 | +- `Microsoft.Identity.Client` |
| 91 | +- `Microsoft.Identity.Client.Desktop` |
| 92 | +- `Microsoft.Identity.Client.Broker` |
| 93 | +- `Microsoft.Identity.Client.Desktop.WinUI3` |
| 94 | +- `Microsoft.Identity.Client.KeyAttestation` |
| 95 | +- `Microsoft.Identity.Client.Extensions.Msal` |
| 96 | +- `Microsoft.Identity.Lab.Api` |
| 97 | + |
| 98 | +### 2. Build Warnings Audit |
| 99 | + |
| 100 | +Parses the ADO build timeline via REST API. Filters out known-safe warnings: |
| 101 | +- `"Using Node 20 for container startup"` — infra, safe |
| 102 | +- `"No files found for tool: binskim"` — no native binaries, expected |
| 103 | +- `"updaterepositorypath not allowed"` — policy, safe |
| 104 | +- Warnings from `DevApp`, `Test` stages — ignored |
| 105 | + |
| 106 | +Flags any **unexpected** product-code warnings. |
| 107 | + |
| 108 | +### 3. TSA Security Bugs |
| 109 | + |
| 110 | +Queries the [TSA API](https://tsaapivnext.azurewebsites.net/Result/CodeBase/MSAL%20.NET%20AUTH%20SDK/Summary) for active bugs in the `MSAL .NET AUTH SDK` codebase. **Blocks release** if any Critical or Important bugs are active. |
| 111 | + |
| 112 | +### 4. Component Governance Alerts |
| 113 | + |
| 114 | +Queries the [ADO Component Governance API](https://identitydivision.visualstudio.com/IDDP/_componentGovernance/98561) for active alerts (alert type 12724953). **Blocks release** if active alerts exist. |
| 115 | + |
| 116 | +### 5. SDL / Compliance |
| 117 | + |
| 118 | +Verifies all OneBranch SDL pipeline tasks completed successfully: |
| 119 | +- CredScan |
| 120 | +- PoliCheck |
| 121 | +- BinSkim (may be skipped — no native binaries) |
| 122 | +- CodeQL |
| 123 | +- Roslyn Analyzers |
| 124 | +- API Scan |
| 125 | + |
| 126 | +## Post-Release Actions |
| 127 | + |
| 128 | +After successful NuGet publish: |
| 129 | + |
| 130 | +### Build Retention |
| 131 | +Adds an ADO retention lease (`daysValid: 36500` ≈ indefinite) so the release build and its artifacts are never deleted by ADO cleanup policies. |
| 132 | + |
| 133 | +### Release Report |
| 134 | +Generates a markdown report at `build/release-logs/release-{version}.md` containing: |
| 135 | +- Pre-release check results |
| 136 | +- Packages published (with versions) |
| 137 | +- Build links |
| 138 | +- Post-release task status |
| 139 | + |
| 140 | +### Post-Release Summary PR |
| 141 | +Creates a single PR that includes: |
| 142 | +- The release report file |
| 143 | +- `PublicAPI.Unshipped.txt` → `PublicAPI.Shipped.txt` updates |
| 144 | + |
| 145 | +### Other Automated Tasks |
| 146 | +- Close the GitHub milestone matching the version |
| 147 | +- Create a GitHub Release with notes extracted from `CHANGELOG.md` |
| 148 | +- Post a notification to the Teams release channel |
| 149 | + |
| 150 | +## Known Issues & Flaky Tests |
| 151 | + |
| 152 | +Some tests may fail intermittently during the build: |
| 153 | + |
| 154 | +| Test Area | Issue | Resolution | |
| 155 | +|-----------|-------|------------| |
| 156 | +| Linux integration tests | Network-dependent, flaky | Re-run the test stage | |
| 157 | +| Federated tests | Environment-dependent | Skipped via `MSAL_SKIP_FEDERATED_TESTS=True` | |
| 158 | +| Network isolation warnings | OneBranch infra | Safe to ignore | |
| 159 | + |
| 160 | +## Related Links |
| 161 | + |
| 162 | +- **OneBranch Pipeline:** [MSAL.NET-OneBranch-Release-Official](https://identitydivision.visualstudio.com/IDDP/_build?definitionId=1545) |
| 163 | +- **GitHub Repo:** [AzureAD/microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) |
| 164 | +- **ADO Repo:** [IDDP/MSAL.NET-OneBranch](https://identitydivision.visualstudio.com/IDDP/_git/MSAL.NET-OneBranch) |
| 165 | +- **TSA Dashboard:** [MSAL .NET AUTH SDK](https://tsaapivnext.azurewebsites.net/Result/CodeBase/MSAL%20.NET%20AUTH%20SDK/Summary) |
| 166 | +- **Component Governance:** [IDDP CG Alerts](https://identitydivision.visualstudio.com/IDDP/_componentGovernance/98561?_a=alerts&typeId=12724953&alerts-view-option=active) |
| 167 | +- **NuGet:** [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) |
0 commit comments