Release 1.16.1

.claude/skills/Release/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: Release
+description: Drives the Yubico .NET SDK release end-to-end — version gating, release branch, NativeShims ordering, CI dispatch, tagging, Windows-wizard sign+publish, GitHub release, post-release merge-back, and Slack #ask-tla announcement. USE WHEN release, drop release, ship release, cut release, publish release, release SDK, dotnet release, NuGet release, /Release, /Release resume.
+---
+
+# Release
+
+Project-local skill for shipping a Yubico .NET SDK release. The operator invokes the skill, answers gating questions, and (on Windows) plugs in the code-sign YubiKey. Every other step (branch creation, CI dispatch, artifact download, signing, publishing, tagging, GitHub release, Slack draft) is automated or surfaces an explicit decision gate.
+
+The skill works in two modes:
+- **`/Release`** — full flow from phase 1 (pre-flight) onward
+- **`/Release resume <version>`** — picks up at phase 5 (sign+publish) using cached state from `~/Releases/<version>/.state.json`. Used when phases 1–4 ran on macOS/Linux and the operator switches to Windows for signing.
+
+The Windows-only constraint (`build/sign.ps1` + smart-card YubiKey + `signtool.exe`) is enforced at phase 5 — the skill detects platform and either runs the full wizard (Windows) or stops with a handoff (macOS/Linux).
+
+## Workflow Routing
+
+| Request Pattern | Route To |
+|---|---|
+| Drop release, ship release, cut release, publish release, /Release, /Release resume | `Workflows/DropRelease.md` |
+
+## Examples
+
+**Example 1: Full release on Windows**
+```
+User: "/Release"
+→ Skill loads Workflows/DropRelease.md
+→ Phase 1: confirms version 1.16.1, release date, no blocking PRs
+→ Phase 2: detects no Yubico.NativeShims/ changes, skips NativeShims rebuild
+→ Phase 3: creates release/1.16.1 from develop, drafts whats-new.md, opens PR to main
+→ Phase 4: after PR merged, dispatches build.yml with version=1.16.1, polls until green, tags 1.16.1
+→ Phase 5 (Windows): downloads artifacts to ~/Releases/1.16.1/, runs sign.ps1, publishes to NuGet.org
+→ Phase 6: creates draft GitHub release with signed assets, triggers deploy-docs.yml
+→ Phase 7: merges main back to develop, prints Slack #ask-tla announcement ready to copy
+```
+
+**Example 2: Cross-machine release (start macOS, finish Windows)**
+```
+Operator (on macOS): "/Release"
+→ Phases 1-4 complete (release branch, PR, merge, tag)
+→ Phase 5 detects darwin → STOPS, prints handoff with build.yml run ID and instruction to run `/Release resume 1.16.1` on Windows
+→ State cached to ~/Releases/1.16.1/.state.json (run IDs, version, NativeShims flag)
+
+Operator (on Windows): "/Release resume 1.16.1"
+→ Loads cached state, skips phases 1-4
+→ Phase 5: downloads artifacts (NativeShims first if rebuilt), runs sign.ps1, publishes
+→ Phases 6-7 complete normally
+```
+
+**Example 3: NativeShims-bearing release**
+```
+User: "/Release"
+→ Phase 2 detects changes in Yubico.NativeShims/ since last tag
+→ AskUserQuestion confirms rebuild + NativeShims version bump
+→ Dispatches build-nativeshims.yml first, polls
+→ HARD GATE: NativeShims must be signed AND published to NuGet.org BEFORE build.yml dispatches
+→ Phase 5 status board shows both NativeShims and main package rows
+```
+
+## Hard Constraints
+
+- **Code-signing YubiKey must be unplugged during phases 1–4**: The operator's code-signing YubiKey must NOT be connected to the machine while any build or CI step runs. Integration tests that enumerate YubiKeys can accidentally run PIV/PGP resets against any connected key. The skill gates this: Phase 1 asks the operator to confirm the YubiKey is unplugged. Phase 5 is the ONLY phase where it should be plugged in — `signtool.exe` and `nuget sign` read the PIV certificate safely but cannot coexist with stray test runs. The skill must NEVER run integration tests itself.
+- **Windows-only sign step**: phase 5 refuses to run on non-Windows
+- **NativeShims ordering**: when rebuilt, NativeShims signs + publishes to NuGet.org *before* main `build.yml` dispatches
+- **Tag only after green CI**: `git tag` runs only after `build.yml` reports success — failed builds mean broken artifacts and a poisoned tag
+- **No Versions.props edits**: version is passed as `build.yml` workflow_dispatch input; `<CommonVersion>0.0.0-dev</CommonVersion>` stays unchanged
+- **Release notes never auto-committed**: skill drafts `docs/users-manual/getting-started/whats-new.md` and shows diff for approval before commit

.github/workflows/build-nativeshims.yml

@@ -38,7 +38,7 @@ jobs:
     runs-on: windows-2022
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -78,25 +78,39 @@ jobs:
           if %FAILED%==1 exit /b 1
           echo All Windows builds verified: no VC++ Redistributable required
           exit /b 0
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - name: Verify export tables match canonical symbol list
+        shell: pwsh
+        run: |
+          # Set up VC++ environment so dumpbin is on PATH for arm64 inspection
+          & "${env:ProgramFiles}\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\Launch-VsDevShell.ps1" -Arch amd64
+          $script = "$PWD\Yubico.NativeShims\tests\check_exports.ps1"
+          $failed = $false
+          foreach ($arch in @('win-x64', 'win-x86', 'win-arm64')) {
+              Write-Host "=== Checking $arch\Yubico.NativeShims.dll ==="
+              & $script "$PWD\Yubico.NativeShims\$arch\Yubico.NativeShims.dll"
+              if ($LASTEXITCODE -ne 0) { $failed = $true }
+          }
+          if ($failed) { exit 1 }
+          Write-Host "All Windows export tables match canonical symbol list."
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: win-x64
           path: Yubico.NativeShims/win-x64/**
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: win-x86
           path: Yubico.NativeShims/win-x86/**
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: win-arm64
           path: Yubico.NativeShims/win-arm64/**
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: nuspec
           path: | 
             Yubico.NativeShims/*.nuspec
             Yubico.NativeShims/readme.md
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: msbuild
           path: Yubico.NativeShims/msbuild/*
@@ -106,7 +120,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -253,7 +267,11 @@ jobs:
               readelf -V *.so | grep GLIBC_2 | sort -u
               echo "✅ Binary compatible with Debian 10 (glibc 2.28)"
             '
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - name: Verify export table matches canonical symbol list
+        working-directory: Yubico.NativeShims
+        run: |
+          bash tests/check_exports.sh linux-x64/libYubico.NativeShims.so
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: linux-x64
           path: Yubico.NativeShims/linux-x64/*.so
@@ -263,7 +281,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -414,7 +432,12 @@ jobs:
               readelf -V *.so | grep GLIBC_2 | sort -u
               echo "✅ ARM64 binary compatible with Debian 10 (glibc 2.28)"
             '
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - name: Verify export table matches canonical symbol list
+        working-directory: Yubico.NativeShims
+        run: |
+          # nm reads ELF metadata regardless of target arch — works on x86_64 host inspecting aarch64 .so
+          bash tests/check_exports.sh linux-arm64/libYubico.NativeShims.so
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: linux-arm64
           path: Yubico.NativeShims/linux-arm64/*.so
@@ -424,7 +447,7 @@ jobs:
     runs-on: macos-14
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -440,11 +463,19 @@ jobs:
           else
             sh ./build-macOS.sh
           fi
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - name: Verify export tables match canonical symbol list
+        working-directory: Yubico.NativeShims
+        run: |
+          set -e
+          for arch in osx-x64 osx-arm64; do
+              echo "=== Checking $arch/libYubico.NativeShims.dylib ==="
+              bash tests/check_exports.sh "$arch/libYubico.NativeShims.dylib"
+          done
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: osx-x64
           path: Yubico.NativeShims/osx-x64/**
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: osx-arm64
           path: Yubico.NativeShims/osx-arm64/**
@@ -463,7 +494,7 @@ jobs:
       GITHUB_REPO_URL: https://github.com/${{ github.repository }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -483,7 +514,7 @@ jobs:
       - run: nuget pack Yubico.NativeShims.nuspec
 
       - name: Upload Nuget Package
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: NuGet Package NativeShims
           path: Yubico.NativeShims.*.nupkg
@@ -507,7 +538,7 @@ jobs:
     if: ${{ github.event.inputs.push-to-dev == 'true' }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 

.github/workflows/build-pull-requests.yml

@@ -54,7 +54,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -74,15 +74,15 @@ jobs:
           NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Save build artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: Nuget Packages Release
           path: |
             Yubico.Core/src/bin/Release/*.nupkg
             Yubico.YubiKey/src/bin/Release/*.nupkg
 
       - name: Save build artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: Assemblies Release
           path: |