Add release automations (#14)

* feat: distribute ado-aw via GitHub Releases instead of ADO pipeline artifacts

Replace DownloadPipelineArtifact@2 tasks (pipeline 2437, project 4x4) in both
standalone and 1ES templates with curl downloads from GitHub Releases, verified
via SHA256 checksums. The compiler embeds its own CARGO_PKG_VERSION at compile
time so generated pipelines always fetch the matching release.

Changes:
- Add .github/workflows/release.yml (triggered on v* tags)
- Update templates/base.yml and templates/1es-base.yml (6 download sites)
- Add {{ compiler_version }} marker replacement in both compilers
- Add integration test assertions for new download mechanism
- Document {{ compiler_version }} marker in AGENTS.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: automate releases with release-please

Replace manual tag-triggered release with release-please automation:
- On push to main, release-please maintains a Release PR with changelog
  and Cargo.toml version bump (based on conventional commits)
- Merging the Release PR creates the git tag and GitHub Release
- Build job then compiles the binary and uploads assets to the release

Bump logic: fix: →

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: checksum verification filename mismatch and pin action versions

Fix critical bug where sha256sum --check would always fail because the
binary was downloaded as 'ado-aw' but the checksum file references
'ado-aw-linux-x64'. Now downloads as 'ado-aw-linux-x64', verifies the
checksum, then renames to 'ado-aw'. Fixed in all 6 download blocks
across both templates.

Also:
- Pin GitHub Actions to commit SHAs for supply-chain security
- Add set -euo pipefail to release asset preparation step

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: add --clobber to release upload and test compiled output markers

- Add --clobber to gh release upload for idempotent retries
- Add integration test that compiles a fixture through the binary and
  verifies no unreplaced {{ markers }} remain in the output, confirming
  {{ compiler_version }} is correctly substituted

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    name: Release Please
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56571f # v4.1.3
+        id: release
+        with:
+          release-type: rust
+
+  build:
+    name: Build (Linux)
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc97ebc # stable
+
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
+
+      - name: Build
+        run: cargo build --release --verbose
+
+      - name: Run tests
+        run: cargo test --verbose
+
+      - name: Prepare release assets
+        run: |
+          set -euo pipefail
+          cd target/release
+          cp ado-aw ado-aw-linux-x64
+          sha256sum ado-aw-linux-x64 > ado-aw-linux-x64.sha256
+
+      - name: Upload release assets
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload ${{ needs.release-please.outputs.tag_name }} \
+            target/release/ado-aw-linux-x64 \
+            target/release/ado-aw-linux-x64.sha256 \
+            --clobber

AGENTS.md

@@ -573,6 +573,17 @@ Generates environment variable entries for the copilot AWF step when `read-only-
 
 If no `read-only-service-connection` is configured, this marker is replaced with an empty string, and ADO access tokens are omitted from the copilot invocation.
 
+## {{ compiler_version }}
+
+Should be replaced with the version of the `ado-aw` compiler that generated the pipeline (derived from `CARGO_PKG_VERSION` at compile time). This version is used to construct the GitHub Releases download URL for the `ado-aw` binary.
+
+The generated pipelines download the compiler binary from:
+```
+https://github.com/githubnext/ado-aw/releases/download/v{VERSION}/ado-aw-linux-x64
+```
+
+A SHA256 checksum file (`ado-aw-linux-x64.sha256`) is also downloaded and verified to ensure binary integrity. This replaces the previous approach of downloading from an internal ADO pipeline artifact.
+
 ### 1ES-Specific Template Markers
 
 The following markers are specific to the 1ES target (`target: 1es`) and are not used in standalone pipelines:
@@ -944,7 +955,7 @@ mcp-servers:
 
 Network isolation is provided by AWF (Agentic Workflow Firewall), which provides L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. AWF restricts network access to a whitelist of approved domains.
 
-The AWF binary is downloaded from an internal ADO pipeline (pipeline 2450, branch `ms/main`, artifact `gh-aw-firewall-linux-x64`). Docker is sourced via the `DockerInstaller@0` ADO task.
+The `ado-aw` compiler binary is distributed via [GitHub Releases](https://github.com/githubnext/ado-aw/releases) with SHA256 checksum verification. The AWF binary is downloaded from an internal ADO pipeline (pipeline 2450, branch `ms/main`, artifact `gh-aw-firewall-linux-x64`). Docker is sourced via the `DockerInstaller@0` ADO task.
 
 ### Default Allowed Domains
 

src/compile/onees.rs

@@ -114,7 +114,9 @@ displayName: "Finalize""#,
         );
 
         // Replace all template markers
+        let compiler_version = env!("CARGO_PKG_VERSION");
         let replacements: Vec<(&str, &str)> = vec![
+            ("{{ compiler_version }}", compiler_version),
             ("{{ pool }}", &pool),
             ("{{ schedule }}", &schedule),
             ("{{ pr_trigger }}", &pr_trigger),

src/compile/standalone.rs

@@ -120,7 +120,9 @@ impl Compiler for StandaloneCompiler {
         );
 
         // Replace template markers
+        let compiler_version = env!("CARGO_PKG_VERSION");
         let replacements: Vec<(&str, &str)> = vec![
+            ("{{ compiler_version }}", compiler_version),
             ("{{ pool }}", &pool),
             ("{{ setup_job }}", &setup_job),
             ("{{ teardown_job }}", &teardown_job),

templates/1es-base.yml

@@ -54,16 +54,23 @@ extends:
 
                   {{ prepare_steps }}
 
-                  - task: DownloadPipelineArtifact@2
-                    displayName: "Download agentic pipeline compiler"
-                    inputs:
-                      source: "specific"
-                      project: "4x4"
-                      pipeline: 2437
-                      runVersion: "latestFromBranch"
-                      branchName: "refs/heads/main"
-                      artifact: "agentic-pipeline-compiler-linux-x64"
-                      targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+                  - bash: |
+                      COMPILER_VERSION="{{ compiler_version }}"
+                      DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+                      DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+                      CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+                      mkdir -p "$DOWNLOAD_DIR"
+                      echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+                      curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+                      curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+                      echo "Verifying checksum..."
+                      cd "$DOWNLOAD_DIR"
+                      sha256sum --check ado-aw-linux-x64.sha256
+                      mv ado-aw-linux-x64 ado-aw
+                      chmod +x ado-aw
+                    displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
                   - bash: |
                       AGENTIC_PIPELINES_PATH="$(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw"
@@ -160,16 +167,23 @@ extends:
                   echo "##vso[task.prependpath]$(Agent.TempDirectory)/tools/agency.linux-x64"
                 displayName: Add agency to PATH
 
-              - task: DownloadPipelineArtifact@2
-                displayName: "Download agentic pipeline compiler"
-                inputs:
-                  source: "specific"
-                  project: "4x4"
-                  pipeline: 2437
-                  runVersion: "latestFromBranch"
-                  branchName: "refs/heads/main"
-                  artifact: "agentic-pipeline-compiler-linux-x64"
-                  targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+              - bash: |
+                  COMPILER_VERSION="{{ compiler_version }}"
+                  DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+                  DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+                  CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+                  mkdir -p "$DOWNLOAD_DIR"
+                  echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+                  curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+                  curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+                  echo "Verifying checksum..."
+                  cd "$DOWNLOAD_DIR"
+                  sha256sum --check ado-aw-linux-x64.sha256
+                  mv ado-aw-linux-x64 ado-aw
+                  chmod +x ado-aw
+                displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
               - bash: |
                   mkdir -p {{ working_directory }}/safe_outputs
@@ -297,16 +311,23 @@ extends:
               - download: current
                 artifact: analyzed_outputs
 
-              - task: DownloadPipelineArtifact@2
-                displayName: "Download agentic pipeline compiler"
-                inputs:
-                  source: "specific"
-                  project: "4x4"
-                  pipeline: 2437
-                  runVersion: "latestFromBranch"
-                  branchName: "refs/heads/main"
-                  artifact: "agentic-pipeline-compiler-linux-x64"
-                  targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+              - bash: |
+                  COMPILER_VERSION="{{ compiler_version }}"
+                  DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+                  DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+                  CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+                  mkdir -p "$DOWNLOAD_DIR"
+                  echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+                  curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+                  curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+                  echo "Verifying checksum..."
+                  cd "$DOWNLOAD_DIR"
+                  sha256sum --check ado-aw-linux-x64.sha256
+                  mv ado-aw-linux-x64 ado-aw
+                  chmod +x ado-aw
+                displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
               - bash: |
                   chmod +x $(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw

templates/base.yml

@@ -52,17 +52,23 @@ jobs:
           copilot -h
         displayName: "Output copilot version"
 
-      - task: DownloadPipelineArtifact@2
-        displayName: "Download agentic pipeline compiler"
-        name: agenticpipelinecompilerdrop
-        inputs:
-          source: "specific"
-          project: "4x4"
-          pipeline: 2437
-          runVersion: "latestFromBranch"
-          branchName: "refs/heads/main"
-          artifact: "agentic-pipeline-compiler-linux-x64"
-          targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+      - bash: |
+          COMPILER_VERSION="{{ compiler_version }}"
+          DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+          DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+          CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+          mkdir -p "$DOWNLOAD_DIR"
+          echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+          echo "Verifying checksum..."
+          cd "$DOWNLOAD_DIR"
+          sha256sum --check ado-aw-linux-x64.sha256
+          mv ado-aw-linux-x64 ado-aw
+          chmod +x ado-aw
+        displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
       - bash: |
           AGENTIC_PIPELINES_PATH="$(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw"
@@ -302,17 +308,23 @@ jobs:
           copilot -h
         displayName: "Output copilot version"
 
-      - task: DownloadPipelineArtifact@2
-        displayName: "Download agentic pipeline compiler"
-        name: agenticpipelinecompilerdrop
-        inputs:
-          source: "specific"
-          project: "4x4"
-          pipeline: 2437
-          runVersion: "latestFromBranch"
-          branchName: "refs/heads/main"
-          artifact: "agentic-pipeline-compiler-linux-x64"
-          targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+      - bash: |
+          COMPILER_VERSION="{{ compiler_version }}"
+          DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+          DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+          CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+          mkdir -p "$DOWNLOAD_DIR"
+          echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+          echo "Verifying checksum..."
+          cd "$DOWNLOAD_DIR"
+          sha256sum --check ado-aw-linux-x64.sha256
+          mv ado-aw-linux-x64 ado-aw
+          chmod +x ado-aw
+        displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
       - task: DockerInstaller@0
         displayName: "Install Docker"
@@ -488,17 +500,23 @@ jobs:
       - download: current
         artifact: analyzed_outputs_$(Build.BuildId)
 
-      - task: DownloadPipelineArtifact@2
-        displayName: "Download agentic pipeline compiler"
-        name: agenticpipelinecompilerdrop
-        inputs:
-          source: "specific"
-          project: "4x4"
-          pipeline: 2437
-          runVersion: "latestFromBranch"
-          branchName: "refs/heads/main"
-          artifact: "agentic-pipeline-compiler-linux-x64"
-          targetPath: "$(Pipeline.Workspace)/agentic-pipeline-compiler"
+      - bash: |
+          COMPILER_VERSION="{{ compiler_version }}"
+          DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
+          DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
+          CHECKSUM_URL="${DOWNLOAD_URL}.sha256"
+
+          mkdir -p "$DOWNLOAD_DIR"
+          echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..."
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL"
+          curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL"
+
+          echo "Verifying checksum..."
+          cd "$DOWNLOAD_DIR"
+          sha256sum --check ado-aw-linux-x64.sha256
+          mv ado-aw-linux-x64 ado-aw
+          chmod +x ado-aw
+        displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
 
       - bash: |
           ls -la "$(Pipeline.Workspace)/agentic-pipeline-compiler"