4.17.0 Release checklist

[compulim]

Checklist

Build

1. [x] ~Bump MockBot to latest Bot Framework SDK release~ (not needed for patch release)
   • https://www.npmjs.com/package/botbuilder/v/latest
2. [x] ~Bump botframework-directlinejs to 0.15.5 in PR #XXX~
3. [x] Update README.md with feature notes
4. [x] Bump to 4.17.0
   • [x] Update CHANGELOG.md to mark specific changes in 4.17.0
   • [x] Run npm version --no-git-tag-version 4.17.0
   • [x] Merged into main, the PR number is #5171
   • Commit is f03d1f0
   • Do not merge any other unrelated changes after this PR. Any other PR merged, will need to be re-tested
5. [x] Run official build pipeline manually, set "Generate_Prod_Version_Number" to true
   • (This will not push to NPM or CDN)
   • Pipeline name is BotFramework-WebChat-Official
   • The build number is 388824 and commit is f03d1f0
6. [x] Run WebChat-release-testing pipeline and wait for complete
   • Release pipeline name is Push-Release-Testing-to-GitHub-Pages
   • The release ID is 524
7. [x] Check component governance and make sure there are no high/critical related to code under /packages/ folder
   • There could be some for projects under /samples/ folder, as they are pointing to previous version of Web Chat
8. [x] Add manual tests to WebChat-release-testing as needed

Test

The test should run against the build artifacts from Azure Pipelines.

1. [x] Manual testing on major browsers using webchat-release-testing
   • [x] Before starting testing, update all the browser version to latest
   • [x] Chrome 124.0.6367.119
   • [x] Edge 126.0.2566.0
   • [x] Firefox 125.0.3
   • [x] ~IE11 (Windows 11 22H2 23531.1001)~
   • [x] macOS Safari 16.5 (18615.2.9.11.4)
   • [x] iOS Safari 17.4.1 (21E236)
   • [x] iPadOS Safari 17.4.1 (21E236)
   • [x] Android Chrome 124.0.6367.113
2. [x] Test specific fixes related to 4.17.0 and previous releases
   • Citation
   • Experimental Fluent UI

Note: when the bot is sending a long message (say, markdown) via Direct Line Speech, the service may kill the connection. This is an issue on Direct Line Speech service and is not an issue about Web Chat.

Release

1. [x] Make sure you are on main ~or qfe~ branch, run git status to check
2. [x] git pull
3. [x] Verify /package.json, /package-lock.json, and CHANGELOG.md has a version of 4.17.0
4. [x] git log
   • Verify the latest commit is f03d1f0
5. [x] git tag v4.17.0
6. [x] git push -u upstream v4.17.0
   • You do not need to kick off a build again, use the previous build
7. [x] Create a new GitHub release
   • [x] Copy entries from CHANGELOG.md
   • [x] Subresource Integrity can be generated by
     • From local: for file in $(ls *.js); do echo $file $(cat $file | openssl dgst -sha384 -binary | openssl base64 -A); done
     • From CDN: curl -H 'Accept-Encoding: gzip' https://cdn.botframework.com/botframework-webchat/4.17.0/webchat.js | gunzip - | openssl dgst -sha384 -binary | openssl base64 -A
   • [x] Attach assets including 3 JS files, stats.json and 5 tarballs
     • You can copy the artifacts from webchat-release-testing/drops
     • Tarballs download from npmjs

       curl -LO https://registry.npmjs.org/botframework-directlinespeech-sdk/-/botframework-directlinespeech-sdk-4.17.0.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat/-/botframework-webchat-4.17.0.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-core/-/botframework-webchat-core-4.17.0.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-api/-/botframework-webchat-api-4.17.0.tgz
       curl -LO https://registry.npmjs.org/botframework-webchat-component/-/botframework-webchat-component-4.17.0.tgz

8. [x] Kick off release to NPM
   • Release name is [[PROD]]Push-WebChat-Official-to-npmjs
   • The build number is 388824 release number is 2 and commit is f03d1f05
   • [x] Verify package content then click Resume
   • [x] Retain the release indefinitely
9. [x] Kick off release to CDN (cutoff at 10 PM PST, Sun-Wed only)
   1. [x] Prepare the message for approval
      • [x] ~If there are any breaking changes, explain in the email if it will affect any customers~
      • Release name is [[PROD]]Push-WebChat-Official-to-Prod-CDN-with-approval
      • The build number is 388824, release number is 4 and commit is f03d1f05
      • Script build number is 320590 (this is fixed)
   2. [x] Send message to approvers
   3. [x] Retain the build indefinitely

Post-release verification - complete within 30 minutes after release to NPM

• [x] Test using webchat-release-testing

  1. [x] Clone https://github.com/corinagum/WebChat-release-testing/
  2. [x] 01.create-react-app
     1. [x] Nuke 01.create-react-app/node_modules
     2. [x] npm install
     3. [x] npm install botframework-webchat@4.17.0 (just install the bundle package)
     4. [x] npm run build

  3. [x] Others

     • Using script tags from https://github.com/microsoft/BotFramework-WebChat/releases/tag/v4.17.0, with subresource integrity

       <script
       crossorigin="anonymous"
       integrity="sha384-"
       src="https://cdn.botframework.com/botframework-webchat/4.17.0/webchat.js"
       ></script>
       
       <script
       crossorigin="anonymous"
       integrity="sha384-"
       src="https://cdn.botframework.com/botframework-webchat/4.17.0/webchat-es5.js"
       ></script>
       
       <script
       crossorigin="anonymous"
       integrity="sha384-"
       src="https://cdn.botframework.com/botframework-webchat/4.17.0/webchat-minimal.js"
       ></script>

  4. [x] npx serve (at repo root)
  5. [x] Go to http://localhost:5000/ to test

Notification to interested parties

• [x] Update partner page on Adaptive Cards doc
  • https://docs.microsoft.com/en-us/adaptive-cards/resources/partners
  • PR at https://github.com/MicrosoftDocs/AdaptiveCards/pull/546
• [x] Notify related parties for the following fixes
  • [x] Azure Bot Services
  • [x] Omnichannel
  • [x] Copilot Studio

---

Post-release checklist

These are chores that we should do before starting the cycle to reduce ripple effects if we do it in mid-cycle.

Tips:

• Clean your repo before start
• Remove node_modules from all folder
  • git clean -fdx
• Never delete package-lock.json
• If you mess it up, tableflip and redo
• In component/package.json
  • Remove reference to botframework-webchat-core by hand-modifying package.json
  • Then, npm install (symlinks will be broken afterward)
  • Then, add those references back by hand-modifying package.json
  • This also applies for other packages with similar dependencies/symlinks
  • To build afterward, do tableflip to rebuild those symlinks

Applies to all releases

This list should be copied to versions in the future.

• [x] ~If on QFE branch, make sure CHANGELOG.md and version number bump is cherry-picked to main~
  • [x] ~git checkout main~
  • [x] ~git cherry-pick XXX (the commitish for bumping version number and CHANGELOG.md)~
• [x] ~If needed, correct the date for 4.17.0 in CHANGELOG.md in PR #XXX~
  • ~There could be last minute fixes that could push the planned date later than the one in CHANGELOG.md~
• [x] Bump package.json to 4.17.1-0 in PR #5174
  • Run npm version prepatch --no-git-tag-version
• [x] Update servicingPlan.json in PR #5174
  • Add deprecation notes for previous versions
  • Subresource integrity hash from https://github.com/microsoft/BotFramework-WebChat/releases/tag/v4.17.0
• [x] ~Update all samples to use 4.17.0 in PR #XXXX~
  • Some samples are pointing to GitHub Releases because the sample need new features from daily build
  • Search "https://github.com/microsoft/BotFramework-WebChat/releases/download/"
    • And replace with "https://cdn.botframework.com/botframework-webchat/latest/"
• [x] ~Clean up unnecessary branch on official repo~
• [x] ~Understand production-hitting vulnerabilities~ (We will be releasing ~4.17.1~ very soon)
  • [x] Create a new folder
  • [x] Run npm init with default values
  • [x] Run npm install botframework-webchat@4.17.0
  • [x] Look at the result and see if there are any production-hitting vulnerabilities, investigate if needed
    • No vulnerabilities found
• [x] Bump in Copilot Studio
• [x] ~Update accessibility conformance report~
  • For any accessibility bugs resolved, remove them from external notes
  • Update version number and publish date

Applies to major/minor releases

Bump all dependencies to latest version

In PR #5174, we are bumping most dependencies to latest version.

After bumping, if a package broke compatibility, we should investigate:

• Upgrade our code to use the latest package if possible, otherwise;
• Add it to package.json/pinDependencies to prevent bumping deliberately
  • Pinning dependencies incur unpredictable technical debts, say, security issue found in the unsupported version, causing us slow to react
  • Every time we bump, we need to go through the whole pinDependencies list

• [x] Run npm run bump
• [x] Run npm audit fix to make sure everything is fixed
• [x] ~List steps to verify bumping microsoft-cognitiveservices-speech-sdk~

Bump Docker image

The Docker image can be found at root docker-compose.yml and Dockerfile*.

• [x] ~Docker container for headless Chrome in PR #XXXX~

[compulim]

Done.