4.15.4 Release checklist

[compulim]

Checklist

Build

1. [x] ~Bump MockBot to Bot Framework SDK release 4.15.4~ (not needed for patch release)
   • https://www.npmjs.com/package/botbuilder/v/latest
2. [x] ~Bump botframework-directlinejs to x.y.z~ (no newer version)
3. [x] Bump to 4.15.4
   • [x] Update CHANGELOG.md to mark specific changes in 4.15.4
   • [x] Run npm version --no-git-tag-version 4.15.4
   • [x] Merged into main, the PR number is #4416
   • Commit is 2348572
   • Do not merge any other unrelated changes after this PR. Any other PR merged, will need to be re-tested
4. [x] Run daily pipeline manually, set "generate release version number" to true
   • (This will not push to NPM or CDN)
   • Pipeline name is BotFramework-WebChat-daily
   • The build number is 322037 and commit is 2348572
5. [x] Wait for WebChat-release-testing pipeline to complete
   • Pipeline name is Push-Release-Testing-to-GitHub-Pages
   • The release ID is 425
6. [x] Check component governance and make sure there are no high/critical related to code under /packages/ folder
   • There could be some for projects under /samples/ folder, as they are pointing to previous version of Web Chat
7. [x] Add manual tests to WebChat-release-testing as needed

Test

The test should run against the build artifacts from Azure Pipelines.

1. [x] Manual testing on major browsers using webchat-release-testing
   • [x] Before starting testing, update all the browser version to latest
   • [x] Chrome 105.0.5195.127
   • [x] Edge 107.0.1387.0
   • [x] Firefox 104.0.2
   • [x] IE11 (Windows 11 22H2 22622.598)
   • [x] macOS Safari 16.0 (17614.1.25.9.10)
   • [x] iOS Safari 16.0
   • [x] iPadOS Safari 15.7
   • [x] Android Chrome 105.0.5195.79
2. [x] Test specific fixes related to 4.15.4 and previous releases
   • [x] Upload a file of 1024 bytes while using Polish locale

Release

1. [x] Verify on WebChat-release-testing
2. [x] Make sure you are on main ~or qfe~ branch, run git status to check
3. [x] git pull
4. [x] Verify /package.json, /package-lock.json, and CHANGELOG.md has a version of 4.15.4
5. [x] git log
   • Verify the latest commit is 2348572
6. [x] git tag v4.15.4
7. [x] git push -u upstream v4.15.4
   • You do not need to kick off a build again, use the previous build
8. [x] Create a new GitHub release, copy entries from CHANGELOG.md
   • [x] Subresource Integrity can be generated by
     • From local: cat webchat.js | openssl dgst -sha384 -binary | openssl base64 -A
     • From CDN: curl -H 'Accept-Encoding: gzip' https://cdn.botframework.com/botframework-webchat/4.15.4/webchat.js | gunzip - | openssl dgst -sha384 -binary | openssl base64 -A
   • [x] Attach assets including 3 JS files, stats.json and 5 tarballs
     • You can copy the artifacts from webchat-release-testing/drops
     • Tarballs download from npmjs

       curl -LO https://registry.npmjs.org/botframework-directlinespeech-sdk/-/botframework-directlinespeech-sdk-4.15.4.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat/-/botframework-webchat-4.15.4.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-core/-/botframework-webchat-core-4.15.4.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-api/-/botframework-webchat-api-4.15.4.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-component/-/botframework-webchat-component-4.15.4.tgz
       

9. [x] Kick off release to NPM
   • Release name is [[PROD]]Push-WebChat-to-npmjs
   • The build number is 322037 release number is 42 and commit is 2348572
   • [x] Verify package content then click Resume
   • [x] Retain the release indefinitely
10. [x] Kick off release to CDN (cutoff at 2PM PST, Mon-Thu only)
    1. [x] Prepare the email for approval
       • [x] ~If there are any breaking changes, explain in the email if it will affect any customers~
       • Release name is [[PROD]]Push-WebChat-to-Prod-CDN-with-approval
       • The build number is 322037, release number is 46 and commit is 2348572
       • Script build number is 320590 (this is fixed)
    2. [x] Send reminder email to approvers
    3. [x] Retain the build indefinitely

Post-release verification - complete within 30 minutes after release to NPM

• [x] Test using webchat-release-testing
  1. [x] Clone https://github.com/corinagum/WebChat-release-testing/
  2. [x] 01.create-react-app
     1. [x] Nuke 01.create-react-app/node_modules
     2. [x] npm install
     3. [x] npm install [email protected] (just install the bundle package)
     4. [x] npm run build
  3. [x] Others
     • Using script tags from https://github.com/microsoft/BotFramework-WebChat/releases/tag/v4.15.4, with subresource integrity

       <script
         crossorigin="anonymous"
         integrity="sha384-hm7B00mbtnkFvRyz6+PZuG2yfM3JaBdEUPYw7BEPKQWZqu1s3G8KFiyOIqOMEk+v"
         src="https://cdn.botframework.com/botframework-webchat/4.15.4/webchat.js"
       ></script>
       
       <script
         crossorigin="anonymous"
         integrity="sha384-9pDJTvPL0wLKBbhzIDeYtyOXpMQgf3VVqPMKPWKTs+p/J8oOqOEy0piRhj9Atlzz"
         src="https://cdn.botframework.com/botframework-webchat/4.15.4/webchat-es5.js"
       ></script>
       
       <script
         crossorigin="anonymous"
         integrity="sha384-yyVMTpA21TwmR+Cfm3ktfuYwApD/XUCxVYOSfUssIKI05H25L/2D5bJQ817fFsMp"
         src="https://cdn.botframework.com/botframework-webchat/4.15.4/webchat-minimal.js"
       ></script>
       

  4. [x] npx serve (at repo root)
  5. [x] Go to http://localhost:5000/ to test, including IE11

Notification to interested parties

• [ ] Update partner page on Adaptive Cards doc
  • https://docs.microsoft.com/en-us/adaptive-cards/resources/partners
  • PR at https://github.com/MicrosoftDocs/AdaptiveCards/pull/XXX
• [ ] Notify related parties for the following fixes
  • [ ] SDK team
  • [ ] Omnichannel
  • [ ] Pooja/Zhipeng
• [ ] ~Update root README.md with feature notes -- Note: PR will be combined with post-release checklist PR~

---

Post-release checklist

These are chores that we should do before starting the cycle to reduce ripple effects if we do it in mid-cycle.

Tips:

• Clean your repo before start
• Remove node_modules from all folder
  • git clean -fdx
• Never delete package-lock.json
• If you mess it up, tableflip and redo
• In component/package.json
  • Remove reference to botframework-webchat-core by hand-modifying package.json
  • Then, npm install (symlinks will be broken afterward)
  • Then, add those references back by hand-modifying package.json
  • This also applies for other packages with similar dependencies/symlinks
  • To build afterward, do tableflip to rebuild those symlinks

Applies to all releases

This list should be copied to versions in the future.

• [ ] ~If on QFE branch, make sure CHANGELOG.md and version number bump is cherry-picked to main~
  • [ ] ~git checkout main~
  • [ ] ~git cherry-pick XXX (the commitish for bumping version number and CHANGELOG.md)~
• [ ] ~If needed, correct the date for 4.15.4 in CHANGELOG.md in PR #XXX~
  • ~There could be last minute fixes that could push the planned date later than the one in CHANGELOG.md~
• [ ] Bump package.json to 4.15.5-0 in PR #XXX
  • Run npm version prepatch --no-git-tag-version
• [ ] Update servicingPlan.json in PR #XXX
  • Add deprecation notes for previous versions
  • Subresource integrity hash from https://github.com/microsoft/BotFramework-WebChat/releases/tag/v4.15.4
• [ ] ~Update all samples to use 4.15.4 in PR #XXXX~
  • Some samples are pointing to GitHub Releases because the sample need new features from daily build
  • Search "https://github.com/microsoft/BotFramework-WebChat/releases/download/"
    • And replace with "https://cdn.botframework.com/botframework-webchat/latest/"
• [ ] ~Clean up unnecessary branch on official repo~
• [ ] Understand production-hitting vulnerabilities
  • [ ] Create a new folder
  • [ ] Run npm init with default values
  • [ ] Run npm install [email protected]
  • [ ] Look at the result and see if there are any production-hitting vulnerabilities, investigate if needed
    • No vulnerabilities found
• [ ] Bump in Power Virtual Agents

Applies to major/minor releases

Bump all dependencies to latest version

In PR #XXX, we are bumping most dependencies to latest version.

After bumping, if a package broke compatibility, we should investigate:

• Upgrade our code to use the latest package if possible, otherwise;
• Add it to package.json/skipBump to prevent bumping deliberately:
  • Skipping bump incur unpredictable technical debts, say, security issue found in the unsupported version, causing us slow to react
  • Plausible reasons (non-exhaustive):
    • Package is not ES5;
    • Package is ESM and requires the whole dependency chain to be upgraded, however, it is technically impossible (unrelated to cost).

• [ ] Run npm run bump
• [ ] Run npm audit fix to make sure everything is fixed
• [ ] Test under IE11 to make sure all dependencies are working
• [ ] List steps to verify bumping microsoft-cognitiveservices-speech-sdk

Obstacles to bump npm

Check if the followings are still valid. We should bump to npm@latest ([email protected]) as soon as possible.

As of writing, [email protected] (bundled by node@16) has issue on running postinstall script.

[email protected] is peer-depends on @angular/common, which npm@7 will automatically install missing peer dependencies. Track the issue here.

Update CI/CD pipeline to use latest images

Some pipelines are still using windows-2016 image which will be deprecated soon, we need to update them.

• [ ] CD pipeline to windows-latest

Bump Docker image

The Docker image can be found at root docker-compose.yml and Dockerfile*.

• [ ] ~Docker container for headless Chrome (#XXX)~
  • They recently moved from 3.14.159-xxx tag scheme to a more sensible 87.0 tag scheme
  • Tags can be found at https://hub.docker.com/r/selenium/node-chrome/tags
  • Preferably in separate PR because screenshots change can be large occasionally
  • Run tests locally, as the screenshots can be slightly different
  • Also consider bumping to Edge-based images