Create prepare-release script and bot pipeline (#15745)

Author: vmoroz

.ado/jobs/setup.yml

@@ -34,16 +34,24 @@ jobs:
 
       - script: npx lage build --scope @rnw-scripts/beachball-config --no-deps
         displayName: Build @rnw-scripts/beachball-config
-      
+
+      - script: |
+          echo "System.PullRequest.SourceBranch = $(System.PullRequest.SourceBranch)"
+          echo "Build.SourceBranch = $(Build.SourceBranch)"
+          echo "Build.SourceBranchName = $(Build.SourceBranchName)"
+        displayName: Print branch variables
+
       - pwsh: |
           npx --yes beachball check --branch origin/$(BeachBallBranchName) --verbose 2>&1 | Tee-Object -Variable beachballOutput
           $beachballErrors = $beachballOutput | Where-Object { $_ -match "ERROR: *"}
           $beachballErrors | ForEach { Write-Host "##vso[task.logissue type=warning]POSSIBLE $_" }
         displayName: Warn for possible invalid change files
+        condition: not(startsWith(variables['System.PullRequest.SourceBranch'], 'prepare-release/'))
 
       - ${{ if endsWith(parameters.buildEnvironment, 'PullRequest') }}:
         - script: npx --yes beachball check --branch origin/$(BeachBallBranchName) --verbose --changehint "##vso[task.logissue type=error]Run \"yarn change\" from root of repo to generate a change file."
           displayName: Check for change files
+          condition: not(startsWith(variables['System.PullRequest.SourceBranch'], 'prepare-release/'))
 
       - script: npx --yes beachball bump --branch origin/$(BeachBallBranchName) --yes --verbose
         displayName: beachball bump

.ado/prepare-release-bot.yml

@@ -0,0 +1,79 @@
+name: $(Date:yyyyMMdd).$(Rev:r)
+
+# Triggers are configured in the ADO pipeline UI:
+# - CI triggers on pushes to main and *-stable branches
+# - Scheduled triggers for daily runs
+# - Manual runs with optional branch override
+trigger: none
+pr: none
+
+parameters:
+  - name: targetBranch
+    displayName: Target branch for version bump (use default to use pipeline source branch)
+    type: string
+    default: (source branch)
+    values:
+      - (source branch)
+      - main
+      - 0.82-stable
+      - 0.81-stable
+      - 0.80-stable
+      - 0.74-stable
+
+jobs:
+  - job: PrepareRelease
+    displayName: Prepare Release Bot
+    pool:
+      vmImage: windows-latest
+    timeoutInMinutes: 30
+
+    steps:
+      - checkout: self
+        persistCredentials: true
+        fetchDepth: 1
+        fetchTags: false
+
+      - script: |
+          git config user.name "React-Native-Windows Bot"
+          git config user.email "53619745+rnbot@users.noreply.github.com"
+        displayName: Configure Git Identity
+
+      # Extract OAuth token from persistCredentials for GitHub API access (gh CLI)
+      - pwsh: |
+          $headerLine = git config --get-regexp "http.*\.extraheader" 2>$null | Select-Object -First 1
+          if (-not $headerLine) {
+            Write-Host "##[error]No HTTP extraheader found. persistCredentials may not be working."
+            exit 1
+          }
+          $encoded = ($headerLine.Split(' ')[-1]).Trim()
+          $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
+          $token = $decoded.Split(':')[-1]
+          Write-Host "Extracted GitHub OAuth token (length=$($token.Length))"
+          Write-Host "##vso[task.setvariable variable=GitHubOAuthToken;issecret=true]$token"
+        displayName: Extract GitHub OAuth token
+
+      - task: NodeTool@0
+        displayName: Set Node Version
+        inputs:
+          versionSpec: '24.x'
+
+      - script: if not exist %APPDATA%\npm (mkdir %APPDATA%\npm)
+        displayName: Ensure npm directory for npx commands
+
+      - script: npx --yes midgard-yarn@1.23.34 --ignore-scripts --frozen-lockfile
+        displayName: yarn install
+
+      - script: npx lage build --scope @rnw-scripts/prepare-release --scope @rnw-scripts/beachball-config
+        displayName: Build prepare-release and dependencies
+
+      - ${{ if ne(parameters.targetBranch, '(source branch)') }}:
+        - pwsh: Write-Host "##vso[task.setvariable variable=TargetBranch]${{ parameters.targetBranch }}"
+          displayName: Set target branch from parameter
+      - ${{ else }}:
+        - pwsh: Write-Host "##vso[task.setvariable variable=TargetBranch]$(Build.SourceBranchName)"
+          displayName: Set target branch from source
+
+      - script: npx prepare-release --branch $(TargetBranch) --no-color
+        displayName: Prepare Release
+        env:
+          GH_TOKEN: $(GitHubOAuthToken)

.ado/publish.yml

@@ -1,18 +1,6 @@
 name: 0.0.$(Date:yyMM.d)$(Rev:rrr)
 
 parameters:
-- name: skipNpmPublish
-  displayName: Skip Npm Publish
-  type: boolean
-  default: false
-- name: skipGitPush
-  displayName: Skip Git Push
-  type: boolean
-  default: false
-- name: stopOnNoCI
-  displayName: Stop if latest commit is ***NO_CI***
-  type: boolean
-  default: true
 - name: performBeachballCheck
   displayName: Perform Beachball Check (Disable when promoting)
   type: boolean
@@ -74,18 +62,10 @@ parameters:
 variables:
   - template: variables/windows.yml
   - group: RNW Secrets
-  - name: SkipGitPushPublishArgs
-    value: ''
   - name: FailCGOnAlert
     value: false
   - name: EnableCodesign
     value: false
-  - name: ArtifactServices.Symbol.AccountName
-    value: microsoft
-  - name: ArtifactServices.Symbol.PAT
-    value: $(pat-symbols-publish-microsoft)
-  - name: SourceBranchWithFolders
-    value: $[ replace(variables['Build.SourceBranch'], 'refs/heads/', '') ]
 
 trigger: none
 pr: none
@@ -105,8 +85,6 @@ extends:
     sdl:
       credscan:
           suppressionsFile: $(Build.SourcesDirectory)\.ado\config\CredScanSuppressions.json
-      binskim:
-          break: false  # BA2007 is suppressed via .gdn/.gdnsuppress - don't fail build
       spotBugs:
           enabled: false # We don't have any java, but random packages in node_modules do
     stages:
@@ -118,20 +96,9 @@ extends:
           timeoutInMinutes: 120
           cancelTimeoutInMinutes: 5
           steps:
-          - powershell: |
-              Write-Host "Stopping because commit message contains ***NO_CI***."
-              $uri = "https://dev.azure.com/microsoft/ReactNative/_apis/build/builds/$(Build.BuildId)?api-version=5.1"
-              $json = @{status="Cancelling"} | ConvertTo-Json -Compress
-              $build = Invoke-RestMethod -Uri $uri -Method Patch -Headers @{Authorization = "Bearer $(System.AccessToken)"} -ContentType "application/json" -Body $json
-              Write-Host $build
-              Write-Host "Waiting 60 seconds for build cancellation..."
-              Start-Sleep -Seconds 60
-            displayName: Stop pipeline if latest commit message contains ***NO_CI***
-            condition: and(${{ parameters.stopOnNoCI }}, contains(variables['Build.SourceVersionMessage'], '***NO_CI***'))
-
           - template: .ado/templates/checkout-full.yml@self
             parameters:
-              persistCredentials: false # We're going to use rnbot's git creds to publish
+              persistCredentials: false
 
           - powershell: gci env:/BUILD_*
             displayName: Show build information
@@ -144,15 +111,15 @@ extends:
             displayName: Fix missing npm config
 
           - pwsh: |
-              npx --yes beachball check --verbose 2>&1 | Tee-Object -Variable beachballOutput
+              npx beachball check --verbose 2>&1 | Tee-Object -Variable beachballOutput
               $beachballErrors = $beachballOutput | Where-Object { $_ -match "ERROR: *"}
               $beachballErrors | ForEach { Write-Host "##vso[task.logissue type=error]$_" }
               if ( $beachballErrors.Count -gt 0)  { throw "Beachball check found $($beachballErrors.Count) errors." }
             displayName: Beachball Check
             condition: ${{ parameters.performBeachballCheck }}
 
         - job: RnwNpmPublish
-          displayName: React-Native-Windows Npm Build Rev Publish
+          displayName: React-Native-Windows Npm Pack
           dependsOn: RnwPublishPrep
           pool:
             name: Azure-Pipelines-1ESPT-ExDShared
@@ -165,65 +132,19 @@ extends:
             parameters:
               agentImage: HostedImage
 
-          - template: .ado/templates/configure-git.yml@self
-
-          - pwsh: |
-              Write-Host "##vso[task.setvariable variable=SkipGitPushPublishArgs]--no-push"
-            displayName: Enable No-Publish (git)
-            condition: ${{ parameters.skipGitPush }}
-
-          # Beachball publishes NPM packages to the "$(Pipeline.Workspace)\published-packages" folder.
-          # It pushes NPM version updates to Git depending on the SkipGitPushPublishArgs variable derived from the skipGitPush parameter.
-          - script: |
-              if exist "$(Pipeline.Workspace)\published-packages" rd /s /q "$(Pipeline.Workspace)\published-packages"
-              mkdir "$(Pipeline.Workspace)\published-packages"
-              npx --yes beachball publish --no-publish $(SkipGitPushPublishArgs) --pack-to-path "$(Pipeline.Workspace)\published-packages" --branch origin/$(SourceBranchWithFolders) -yes --bump-deps --verbose --access public --message "applying package updates ***NO_CI***"
-            displayName: Beachball Publish
+          - script: node .ado/scripts/npmPack.js --clean --no-color "$(Pipeline.Workspace)\published-packages"
+            displayName: Pack npm packages
 
           - script: dir /s "$(Pipeline.Workspace)\published-packages"
             displayName: Show created npm packages
 
-          # Beachball reverts to local state after publish, but we want the updates it added
-          - script: git pull origin $(SourceBranchWithFolders)
-            displayName: git pull
-
-          - script: npx @rnw-scripts/create-github-releases --yes --authToken $(githubAuthToken)
-            displayName: Create GitHub Releases (New Canary Version)
-            condition: and(succeeded(), ${{ not(parameters.skipGitPush) }}, ${{ eq(variables['Build.SourceBranchName'], 'main') }} )
-
-          - script: npx --yes @rnw-scripts/create-github-releases@latest --yes --authToken $(githubAuthToken)
-            displayName: Create GitHub Releases (New Stable Version)
-            condition: and(succeeded(), ${{ not(parameters.skipGitPush) }}, ${{ ne(variables['Build.SourceBranchName'], 'main') }} )
-
           - template: .ado/templates/set-version-vars.yml@self
             parameters:
               buildEnvironment: Continuous
 
           - script: echo NpmDistTag is $(NpmDistTag)
             displayName: Show NPM dist tag
 
-          - script: dir /s "$(Pipeline.Workspace)\published-packages"
-            displayName: Show npm packages before ESRP release
-
-          # TODO: Re-enable after fixing publishing issues
-          - task: 'SFP.release-tasks.custom-build-release-task.EsrpRelease@10'
-            displayName: 'ESRP Release to npmjs.com'
-            enabled: true
-            condition: and(succeeded(), ne(variables['NpmDistTag'], ''))
-            inputs:
-              connectedservicename: 'ESRP-CodeSigning-OGX-JSHost-RNW'
-              usemanagedidentity: false
-              keyvaultname: 'OGX-JSHost-KV'
-              authcertname: 'OGX-JSHost-Auth4'
-              signcertname: 'OGX-JSHost-Sign3'
-              clientid: '0a35e01f-eadf-420a-a2bf-def002ba898d'
-              domaintenantid: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
-              contenttype: npm
-              folderlocation: '$(Pipeline.Workspace)\published-packages'
-              productstate: '$(NpmDistTag)'
-              owners: 'vmorozov@microsoft.com'
-              approvers: 'khosany@microsoft.com'
-
           - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
             displayName: 📒 Generate Manifest Npm
             inputs:
@@ -347,15 +268,6 @@ extends:
 
             - template: .ado/templates/component-governance.yml@self
 
-            # Make symbols available through http://symweb.
-            - task: PublishSymbols@2
-              displayName: Publish symbols
-              enabled: false
-              inputs:
-                SearchPattern: vnext/target/**/*.pdb
-                SymbolServerType: TeamServices
-                Pat: $(System.AccessToken)
-
             templateContext:
               sdl:
                 binskim:
@@ -441,9 +353,10 @@ extends:
           # Symbol Publishing for Work Item 59264834 - MSRC Compliance
           - task: PublishSymbols@2
             displayName: 'Publish Symbols to Microsoft Symbol Server'
-            enabled: false
-            condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI'))
+            enabled: true
             inputs:
+              UseNetCoreClientTool: true
+              ConnectedServiceName: Office-React-Native-Windows-Bot
               SymbolsFolder: '$(System.DefaultWorkingDirectory)\NugetRoot'
               SearchPattern: '**/*.pdb'
               SymbolServerType: 'TeamServices'
@@ -452,7 +365,6 @@ extends:
               SymbolsArtifactName: 'ReactNativeWindows-Symbols'
               DetailedLog: true
               TreatNotIndexedAsWarning: false
-              Pat: $(System.AccessToken)
 
           templateContext:
             sdl:

.ado/release.yml

@@ -82,43 +82,85 @@ extends:
 
       - job: PushPrivateAdo
         displayName: ADO - nuget - react-native
-        timeoutInMinutes: 0
+
         templateContext:
           inputs:
           - input: pipelineArtifact
             pipeline: 'Publish'
             artifactName: 'ReactWindows-final-nuget'
             targetPath: '$(Pipeline.Workspace)/ReactWindows-final-nuget'
+        
         steps:
         - checkout: none
-        - task: NuGetToolInstaller@1
-          displayName: 'Use NuGet '
-        - template: .ado/templates/authenticate-office-react-native-windows-bot.yml@self
-        - task: CmdLine@2
-          displayName: NuGet push (react-native)
+
+        - script: dir /S $(Pipeline.Workspace)\ReactWindows-final-nuget
+          displayName: Show directory contents
+
+        - task: AzureCLI@2
+          displayName: Override NuGet credentials with Managed Identity
           inputs:
-            script: nuget.exe push *.nupkg -ApiKey $(oficeReactnativeWindowsBotAadAuthToken) -Source https://pkgs.dev.azure.com/ms/_packaging/react-native/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
-            workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
+            azureSubscription: 'Office-React-Native-Windows-Bot'
+            visibleAzLogin: false
+            scriptType: 'pscore'
+            scriptLocation: 'inlineScript'
+            inlineScript: |
+              $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+              # Set the access token as a secret, so it doesn't get leaked in the logs
+              Write-Host "##vso[task.setsecret]$accessToken"
+              # Override the apitoken of the nuget service connection, for the duration of this stage
+              Write-Host "##vso[task.setendpoint id=a7e33797-4804-4a1d-911d-5bd325e50a85;field=authParameter;key=apitoken]$accessToken"
+  
+        - task: 1ES.PublishNuGet@1
+          displayName: NuGet push to ms/react-native-public
+          inputs:
+            useDotNetTask: true
+            packageParentPath: '$(Pipeline.Workspace)/ReactWindows-final-nuget'
+            packagesToPush: '$(Pipeline.Workspace)/ReactWindows-final-nuget/*.nupkg'
+            nuGetFeedType: external
+            publishFeedCredentials: 'ms/react-native ADO Feed'
+            externalEndpoint: 'ms/react-native ADO Feed'
+            publishPackageMetadata: true
 
       - job: PushPublicAdo
         displayName: ADO - nuget - react-native-public
-        timeoutInMinutes: 0
+        
         templateContext:
           inputs:
           - input: pipelineArtifact
             pipeline: 'Publish'
             artifactName: 'ReactWindows-final-nuget'
             targetPath: '$(Pipeline.Workspace)/ReactWindows-final-nuget'
+        
         steps:
         - checkout: none
-        - task: NuGetToolInstaller@1
-          displayName: 'Use NuGet '
-        - template: .ado/templates/authenticate-office-react-native-windows-bot.yml@self
-        - task: CmdLine@2
-          displayName: NuGet push (react-native-public)
+
+        - script: dir /S $(Pipeline.Workspace)\ReactWindows-final-nuget
+          displayName: Show directory contents
+
+        - task: AzureCLI@2
+          displayName: Override NuGet credentials with Managed Identity
           inputs:
-            script: nuget.exe push *.nupkg -ApiKey $(oficeReactnativeWindowsBotAadAuthToken) -Source https://pkgs.dev.azure.com/ms/react-native/_packaging/react-native-public/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
-            workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
+            azureSubscription: 'Office-React-Native-Windows-Bot'
+            visibleAzLogin: false
+            scriptType: 'pscore'
+            scriptLocation: 'inlineScript'
+            inlineScript: |
+              $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+              # Set the access token as a secret, so it doesn't get leaked in the logs
+              Write-Host "##vso[task.setsecret]$accessToken"
+              # Override the apitoken of the nuget service connection, for the duration of this stage
+              Write-Host "##vso[task.setendpoint id=9a2456d0-c163-405b-be24-c03fd74b155a;field=authParameter;key=apitoken]$accessToken"
+  
+        - task: 1ES.PublishNuGet@1
+          displayName: NuGet push to ms/react-native-public
+          inputs:
+            useDotNetTask: true
+            packageParentPath: '$(Pipeline.Workspace)/ReactWindows-final-nuget'
+            packagesToPush: '$(Pipeline.Workspace)/ReactWindows-final-nuget/*.nupkg'
+            nuGetFeedType: external
+            publishFeedCredentials: 'ms/react-native-public ADO Feed'
+            externalEndpoint: 'ms/react-native-public ADO Feed'
+            publishPackageMetadata: true
 
       - job: PushNuGetOrg
         displayName: nuget.org - Push nuget packages