Add verify-releases and update-release-graph skills#10332
Merged
richlander merged 5 commits intomainfrom Apr 1, 2026
Merged
Conversation
Documents the workflow for regenerating the HAL+JSON release information graph using the VersionIndex, ShipIndex, and LlmsIndex generators from distroessed. Covers source data conventions, graph topology, and validation steps. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
New Copilot skill that validates .NET release data using dotnet-release v0.5.0+ verify releases command. Checks URL liveness, SHA512 file hashes, CDN latest.version files, and aka.ms redirect targets. Includes: - SKILL.md with full process documentation, commands, timing expectations, troubleshooting, and report template - Reference example with actual verification output from all supported versions (8.0, 9.0, 10.0, 11.0) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Describes how to use the dotnet-cve-enricher tool to synthesize, validate, and enrich cve.json files in the release-notes timeline directory. Covers: - Synthesizing CVE records from releases.json + MSRC data - Validating existing cve.json for data integrity - Updating lookup dictionaries and CVSS/CNA data - Agent usage with --json output mode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove --version "0.*" workaround from all skill prerequisites now that 1.1.0 is the latest version on the GitHub Packages feed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Mar 31, 2026
rbhanda
approved these changes
Mar 31, 2026
leecow
reviewed
Mar 31, 2026
.github/skills/cve-enricher/SKILL.md
Outdated
|
|
||
| ## When to use | ||
|
|
||
| - A new .NET security update ships and needs a `cve.json` file created |
Member
There was a problem hiding this comment.
Given that we're going to start handling cve.json generation on the backend, I have concerns about this directive. Does the skill take this into account? How does the skill interact with existing cve.json files?
leecow
reviewed
Mar 31, 2026
.github/skills/cve-enricher/SKILL.md
Outdated
| - A new .NET security update ships and needs a `cve.json` file created | ||
| - Backfilling historical months that don't yet have CVE timeline data | ||
| - Validating existing `cve.json` files for data integrity issues | ||
| - Enriching CVE records with CVSS scores, CWE, acknowledgments from MSRC/CVE.org |
Member
There was a problem hiding this comment.
This is required data on the backend
Member
Author
There was a problem hiding this comment.
Excellent points. There are two aspects about that:
- When will that happen?
- We still need these capabilities for CVE enrichment after the fact if CVE information changes, particularly for old CVEs.
rbhanda
reviewed
Mar 31, 2026
| dotnet tool install -g Dotnet.Release.Tools \ | ||
| --add-source https://nuget.pkg.github.com/richlander/index.json \ | ||
| --version "0.*" | ||
| --add-source https://nuget.pkg.github.com/richlander/index.json |
Member
Author
There was a problem hiding this comment.
yes and no.
- the repo should move from richlander to dotnet org
- The intent is to continue using GH packages and not nuget.org because the packages have a very limited audience.
leecow
reviewed
Mar 31, 2026
.github/skills/cve-enricher/SKILL.md
Outdated
|
|
||
| ### 2. Validate — check existing cve.json | ||
|
|
||
| Run validation before committing or after manual edits: |
Member
There was a problem hiding this comment.
The current plan is that no edits happen outside of the cve authoring UI and generation process. This seems to conflict with that goal.
Member
Author
There was a problem hiding this comment.
What happens if CVSS score or title changes after the fact? I thought that this sometimes happens?
We can remove the CVE-enricher skill. that's likely a good idea until we resolve the workflow.
The cve-enricher tool isn't ready yet. Remove the skill to keep the PR focused on verify-releases and update-release-graph. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
richlander
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates two new Copilot skills from separate PRs/branches into a single validated PR.
New skills
dotnet-release verify releasesdotnet-release generate indexesValidation results
Each skill was tested against live data:
dotnet-release verify releases 9.0 release-notes --skip-hashdotnet-release generate indexes release-notes /tmp/outputdotnet-release generate supported-os 10.0 release-notesdotnet-release generate os-packages 10.0 release-notesdotnet-release generate dotnet-dependencies 10.0 release-notesFiles
.github/skills/verify-releases/SKILL.md.github/skills/verify-releases/references/verify-output-example.md.github/skills/update-release-graph/SKILL.mdSupersedes