Add net11 release readiness workflow

[PureWeen]

Note

Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!

Summary

Adds the first net11 release-readiness automation for #35711:

• a local Copilot skill: .github/skills/net11-release-readiness/SKILL.md
• a deterministic readiness script: .github/skills/net11-release-readiness/scripts/Get-Net11ReleaseReadiness.ps1
• a scheduled/manual/PR-validation workflow: .github/workflows/net11-release-readiness.yml

The intent is that a maintainer can ask Copilot CLI something like Is net11-preview6 ready to release? and get a concrete checklist-backed answer. The workflow also creates a daily public [Release READY] net11 YYYY-MM-DD issue snapshot.

What the readiness check validates

• Target resolution: maps auto, net11.0, net11-previewN, and release/11.0.1xx-previewN to a canonical release target.
• Branch existence: verifies the expected release branch exists.
• Version iteration: checks release branch PreReleaseVersionIteration and reports the net11.0 preview-next value so we catch the branch bump/preview-next mismatch called out by Increment PreReleaseVersionIteration from 4 to 5 #35721.
• Maestro/dependency PRs: lists open dotnet-maestro PRs targeting the release branch or net11.0, including conflict/review/draft state and next action.
• Release branch PRs: separates non-Maestro PRs targeting the release branch from general net11.0 inflight work.
• Inflight branch health: summarizes open net11.0 PRs, including blocked/conflicting/review-requested work, without treating every inflight PR as a direct release-branch blocker.
• Priority blockers: surfaces release-relevant open P/0 and P/1 issues.
• Known Build Errors: surfaces release-relevant KBE issues for release owner triage.
• CI truth boundary: reports CI as INSUFFICIENT_DATA until [Epic] Improve CI Analysis Accuracy — Flaky Detection, KBE Integration, Auto-Triage #35052 provides structured CI evidence; this intentionally avoids duplicating CI parsing/classification.
• Xcode / ICM readiness: reports required Xcode values and reminds maintainers to verify hosted image support / file ICM quickly when public Xcode versions require it.
• Internal pipeline status: includes only a sanitized public status (READY, WATCH, BLOCKED, or UNKNOWN) for dnceng/internal pipeline health.

Public/internal safety boundary

The script emits a public-safe markdown block bounded by:

<!-- NET11_RELEASE_READY_BEGIN -->
...
<!-- NET11_RELEASE_READY_END -->

The workflow extracts only that block before writing the issue body. Internal details are intentionally not posted publicly: no private URLs, raw internal logs, artifact links, account identifiers, secret names, or raw dnceng/internal failure payloads.

For local maintainer use, the script supports:

-IncludeInternal -InternalBuildId <build-id>

That path is intended for Copilot/local validation with maintainer credentials; public output remains sanitized.

Current limitations / expected follow-ups

• CI truth is deliberately a placeholder until [Epic] Improve CI Analysis Accuracy — Flaky Detection, KBE Integration, Auto-Triage #35052 exposes structured CI evidence for this release-readiness layer to consume.
• Internal dnceng validation is local/sanitized first; secure hosted internal aggregation should be designed separately.
• This is the first deterministic pass. We can iterate on weighting, issue relevance filters, Maestro/darc checks, and the exact Release READY issue format after seeing real daily snapshots.

Validation

• Ran the script for auto markdown output and verified marker extraction produced a non-empty public body.
• Ran the script for net11-preview6 markdown output and verified missing-branch readiness behavior.
• Ran JSON output through jq.
• Parsed the PowerShell script with the PowerShell parser.
• Ran git diff --check on the staged changes.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35754

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35754"

[github-actions]

🔍 Skill Validation Results

✅ Static Checks Passed

Skills checked: 19 | Agents checked: 4

Full validator output

Found 1 skill(s)
[net11-release-readiness] 📊 net11-release-readiness: 849 BPE tokens [chars/4: 881] (detailed ✓), 5 sections, 4 code blocks
✅ All checks passed (1 skill(s))
Found 4 agent(s)
Validated 4 agent(s)

✅ All checks passed (4 agent(s))

⏭️ LLM Evaluation: Skipped

No changed skills with eval tests found.

🔍 Full results and investigation steps

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[MauiBot]

Expert Review — 3 findings

See inline comments for details.

[MauiBot]

[warning] Build/MSBuild - retry diagnostics - Invoke-GitHubWithRetry throws here on the final retry attempt, so the later after $MaxRetries attempts throw is unreachable. A transient 502/timeout that exhausts retries reports only Failed to ..., losing retry-exhaustion context. Move the final throw outside the loop or include the attempt count/last error in this throw.

[MauiBot]

[warning] Build/MSBuild - transient GitHub failures - Test-BranchExists calls gh api directly instead of the retry helper used elsewhere. A single transient GitHub/API failure here aborts the whole readiness report because branch checks run before most report sections. Route this through retry logic while still treating real 404 responses as false.

[MauiBot]

[warning] Build/MSBuild - workflow concurrency - for pull_request events this group resolves to net11-release-readiness-pull_request-auto, so validation for one PR can cancel validation for another unrelated PR. Include the PR number/ref in the pull_request concurrency key, while keeping the scheduled/manual report serialized if desired.

[kubaflo]

Could you please check the ai's suggestions?

[kubaflo]

/review rerun

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[MauiBot]

Expert Review — 1 findings

See inline comments for details.

[MauiBot]

[major] Workflow safety — The cleanup query closes every open issue whose title matches [Release READY] and net11, but it does not constrain results to issues created by this workflow/bot or to the labels applied on lines 94-95. Because this runs on a schedule with issues: write, a maintainer-created tracking issue with a matching title could be closed automatically. Please narrow the search, e.g. by workflow labels and/or author:github-actions[bot], before piping numbers to gh issue close.

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[MauiBot]

Expert Review — 1 findings

See inline comments for details.

[MauiBot]

❌ Error — This cleanup query matches broad title text only, then closes every returned open issue as not planned. A maintainer-created issue whose title contains [Release READY] and net11 could be closed even though this workflow did not create it. Constrain destructive cleanup to workflow-owned daily issues, e.g. bot author plus report/s/triaged labels plus exact generated title/body marker, or update a single tracked issue instead.

[MauiBot]

AI Review Summary

@PureWeen — new AI review results are available based on this last commit: f0fc6b0. To request a fresh review after new comments or commits, comment /review rerun.

Review Sessions — click to expand

Gate — Test Before & After Fix

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

Pre-Flight — Context & Validation

Issue: #35711 - [Epic] Agentic Release Management & Pipeline Health — net11 readiness, Maestro flow, and release gates
PR: #35754 - Add net11 release readiness workflow
Platforms Affected: infrastructure / release automation; requested test platform android has no Android runtime code impact
Files Changed: 3 implementation/infrastructure, 0 test

Key Findings

• PR adds a net11-release-readiness skill, deterministic readiness script, and scheduled/manual/PR-validation workflow.
• Gate was already completed separately and skipped because no tests were detected; gate verification was not rerun and gate/content.md was not modified.
• Impacted UI test categories: NONE — no MAUI controls, handlers, layouts, or Android platform runtime files changed.
• Code review found a workflow safety defect: scheduled/manual cleanup closes all open issues matching broad title terms before creating the new daily issue.
• GitHub CLI auth was unavailable locally, so live gh pr checks and live issue-list/close behavior could not be executed.

Code Review Summary

Verdict: NEEDS_CHANGES
Confidence: medium
Errors: 1 | Warnings: 0 | Suggestions: 0

Key code review findings:

• ❌ .github/workflows/net11-release-readiness.yml:79 searches only for "[Release READY]" "net11" in:title before closing every returned open issue; cleanup should constrain to workflow-owned issues, for example by bot author, labels, exact generated title shape, and/or report body marker.

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #35754	Add net11 readiness skill/script/workflow; current workflow cleanup closes broad title-only issue matches.	⚠️ SKIPPED (Gate: no tests detected)	.github/skills/net11-release-readiness/SKILL.md, .github/skills/net11-release-readiness/scripts/Get-Net11ReleaseReadiness.ps1, .github/workflows/net11-release-readiness.yml	Original PR; needs safer cleanup query.

---

Code Review — Deep Analysis

Code Review — PR #35754

Independent Assessment

What this changes: Adds a net11-release-readiness Copilot skill, a deterministic PowerShell readiness script, and a scheduled/manual/PR-validation GitHub Actions workflow. The workflow generates a marker-delimited public report and, on schedule/manual dispatch, closes previous daily [Release READY] net11 ... issues before creating a new one.
Inferred motivation: Give release owners a repeatable public-safe net11 readiness snapshot that covers release branches, Maestro PRs, blockers, Xcode/ICM readiness, and sanitized internal status.

Reconciliation with PR Narrative

Author claims: The PR adds first net11 release-readiness automation for #35711, emits only the marker-bounded public block, defers CI truth to #35052, and creates a daily public Release READY issue snapshot.
Agreement/disagreement: The implementation matches the release-readiness scope and public/internal marker boundary. The main disagreement is in the workflow mutation path: the cleanup query is broader than the workflow-owned issues it later creates.

Prior Review Reconciliation

Prior ❌ Error Finding	Source	Status	Evidence
Scheduled cleanup can close unrelated maintainer issues because it searches only for "[Release READY]" "net11" in:title before closing every match.	MauiBot inline review / prior AI summary	❌ Unresolved in current local PR delta	.github/workflows/net11-release-readiness.yml still uses the title-only search and pipes all numbers to gh issue close.

Blast Radius Assessment

• Runs for all instances: yes — scheduled/manual workflow runs with issues: write and can mutate public issues.
• Startup impact: no MAUI app startup impact; this is repository automation.
• Static/shared state: no app static state; persistent GitHub issue state is mutated.

CI Status

• Required-check result: undetermined locally; gh CLI is unauthenticated in this environment.
• Classification: undetermined for CI; gate was provided as skipped because no tests were detected.
• Action taken: used public unauthenticated PR/review data and local static validation only; confidence capped for live gh execution behavior.

Findings

❌ Error — Scheduled cleanup can close unrelated maintainer issues

.github/workflows/net11-release-readiness.yml:79 searches only for "[Release READY]" "net11" in:title and closes every returned open issue. Because the job has issues: write, any human-created tracking issue with a matching title can be closed even if it was not created by this workflow. The create step labels workflow-owned issues with report and s/triaged, and the generated body contains NET11_RELEASE_READY markers, so cleanup should constrain closure to workflow-owned issues before mutating state.

Failure-Mode Probing

• Human creates [Release READY] net11 planning issue: current PR can close it on the next schedule/manual run because title terms match.
• Workflow-owned issue labels are removed: current PR would still close it by title only; safer candidates require labels/author/body marker.
• GitHub search returns a stale or broad match: current PR suppresses close errors with || true, making accidental/partial cleanup harder to detect.

Verdict: NEEDS_CHANGES

Confidence: medium
Summary: The core readiness script and skill are aligned with the PR goal, but the issue cleanup mutation is too broad for a scheduled workflow with issues: write. The fix should constrain cleanup to workflow-owned issues or avoid destructive closure entirely.

---

Fix — Analysis & Comparison

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
1	maui-expert-reviewer + try-fix	Structured ownership filter: add author:github-actions[bot] and first-class --label report / --label s/triaged filters to the cleanup query.	✅ PASS (offline/static checks)	1 file	Fixes broad title-only cleanup, but relies on GitHub search + label filtering behavior that could not be live-tested without auth.
2	maui-expert-reviewer + try-fix	Non-destructive single tracking issue: replace close/create with find/edit-or-create for [Release READY] net11 status.	✅ PASS (offline/static checks)	1 file	Safest against accidental closure because it removes gh issue close, but changes the PR's stated daily snapshot model.
3	maui-expert-reviewer + try-fix	Strict daily snapshot ownership filter: require bot author, workflow labels, generated daily title regex, and NET11_RELEASE_READY_BEGIN body marker before closing.	✅ PASS (offline/static checks)	1 file	Best standalone candidate: preserves daily snapshots while constraining destructive cleanup to workflow-owned generated issues.
PR	PR #35754	Title-only cleanup query closes every open issue matching "[Release READY]" "net11" in:title.	⚠️ SKIPPED (Gate: no tests detected)	3 files	Original PR behavior can close unrelated maintainer-created issues.

Cross-Pollination

Model	Round	New Ideas?	Details
maui-expert-reviewer	1	Yes	Identified destructive cleanup safety as the high-confidence issue and proposed ownership filters, non-destructive single-issue update, two-phase plan, helper extraction, and tokenless validation variants.
try-fix loop	1	Yes	Candidate 1 applied structured author/label filters; passed static checks but left live search behavior unverified.
try-fix loop	2	Yes	Candidate 2 removed destructive closure entirely; passed static checks but changed the daily snapshot product model.
try-fix loop	3	Yes	Candidate 3 incorporated lessons from candidates 1 and 2: preserve daily snapshots but require author, labels, exact generated title shape, and body marker before closing.
orchestrator	stop	No further run	Stopped because candidate 3 passed all available tests and is demonstrably better than the PR baseline while avoiding candidate 2's product-model change. Further variants would be trivial recombinations or larger helper extraction.

Exhausted: No
Selected Fix: Candidate #3 — preserves the PR's daily Release READY issue model while preventing broad title-only closure of unrelated issues. Candidate #2 is safer but changes intended behavior; candidate #1 is simpler but less specific than candidate #3.

Test Notes

Gate verification was not rerun, per instruction. Candidate testing used targeted static regression checks (git diff --check, workflow-content invariants) and PowerShell parser validation for Get-Net11ReleaseReadiness.ps1. Live gh issue list / gh issue close execution was blocked because the local GitHub CLI is unauthenticated.

Candidate Narratives

try-fix-1

See CustomAgentLogsTmp/PRState/35754/PRAgent/try-fix-1/content.md.

try-fix-2

See CustomAgentLogsTmp/PRState/35754/PRAgent/try-fix-2/content.md.

try-fix-3

See CustomAgentLogsTmp/PRState/35754/PRAgent/try-fix-3/content.md.

---

Report — Final Recommendation

Comparative Report

Candidates

Rank	Candidate	Regression result	Assessment
1	pr-plus-reviewer	✅ PASS via equivalent try-fix-3 offline/static checks	Best overall. Applies the expert reviewer's actionable feedback while preserving the PR's intended daily snapshot model. It constrains issue closure by bot author, workflow labels, exact generated title shape, and the NET11_RELEASE_READY_BEGIN body marker.
2	try-fix-3	✅ PASS (offline/static checks)	Functionally equivalent to pr-plus-reviewer and the best standalone try-fix. Ranked below pr-plus-reviewer only because the requested Phase 1 candidate is the PR fix plus reviewer feedback, and it uses this same patch.
3	try-fix-2	✅ PASS (offline/static checks)	Safest against accidental closure because it removes destructive issue closing entirely, but it changes the PR's daily snapshot behavior into a single rolling issue.
4	try-fix-1	✅ PASS (offline/static checks)	Improves the raw PR by adding bot-author and label filters, but it still lacks exact generated-title and body-marker validation, so it is less robust than try-fix-3 / pr-plus-reviewer.
5	pr	⚠️ SKIPPED (gate skipped; no tests detected)	Raw PR has a confirmed workflow-safety error: broad title-only cleanup can close unrelated open issues matching [Release READY] and net11.

Analysis

The raw PR fix adds the requested net11 release-readiness skill/script/workflow, but its cleanup step is too broad for a destructive issue operation. The expert reviewer flagged .github/workflows/net11-release-readiness.yml:79 because the workflow lists issues by title text only and closes every match as not planned.

All STEP 5a try-fix candidates passed their available offline/static regression checks. None failed regression tests, so ranking is based on safety and behavioral fit. try-fix-2 is maximally non-destructive, but it changes the authoring model from daily snapshots to a single rolling issue. try-fix-1 keeps the model but only partially constrains ownership. try-fix-3 provides the best balance by preserving daily snapshots while adding strong ownership checks.

pr-plus-reviewer is the same strict ownership/body-marker approach as try-fix-3, applied as reviewer feedback to the PR fix. It wins because it resolves the expert reviewer's error, keeps the intended daily issue behavior, and has the strongest validated guardrails among candidates that preserve that behavior.

Winner

Winning candidate: pr-plus-reviewer

Rationale: It directly fixes the expert-reviewed safety defect by narrowing destructive cleanup to workflow-owned generated issues, while preserving the PR's daily Release READY snapshot model. The equivalent try-fix-3 candidate passed the available offline/static validation; the raw PR did not have test coverage and retains a confirmed safety error.

---

Future Action — review latest findings

No alternative fix was selected for this run. Review the session findings and CI results before merging.

[kubaflo]

Could you please check the ai's suggestions?