dummy edit

.github/CODEOWNERS

@@ -34,8 +34,10 @@
 
 /.github/CODEOWNERS                            @microsoft/fluid-cr-api
 
-# Changes to this workflow require approval from the Release Approvers team
-/.github/workflows/required-reviewers-release.yml @microsoft/FluidFramework-ReleaseApprovers
+# Changes to these workflows require approval from the Release Approvers team
+# Will be re-enabled once workflows are stable. AB#14288
+# /.github/workflows/release-approval.yml @microsoft/FluidFramework-ReleaseApprovers
+# /.github/workflows/release-branches.yml @microsoft/FluidFramework-ReleaseApprovers
 
 # ID compressor source
 /packages/runtime/id-compressor/src            @microsoft/fluid-cr-id-compressor

.github/workflows/release-approval.yml

@@ -0,0 +1,137 @@
+# release-approval.yml
+#
+# This workflow checks that a PR has been reviewed by a member of FluidFramework-ReleaseApprovers.
+#
+# This workflow is normally triggered by the completion of the release-branches workflow. However, it can also be run
+# manually using the GitHub UI and providing a PR number.
+
+name: release-approval
+
+on:
+  workflow_run:
+    # Workflow is typically triggered by the completion of the release-branches workflow.
+    workflows: [release-branches]
+    # Only workflow runs from these branches will trigger this workflow.
+    branches:
+      - release/client/**
+      - release/server/**
+      - test/release/**
+
+  # The workflow can be triggered manually in the GitHub UI.
+  workflow_dispatch:
+    inputs:
+      pr:
+        description: "PR number on which to run approval checks"
+        required: true
+
+permissions:
+  actions: read
+  pull-requests: read
+
+jobs:
+  on-failure:
+    name: Check upstream workflow status
+    if: github.event_name == "workflow_run" && github.event.workflow_run.conclusion == "failure"
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "The triggering workflow failed"
+
+  metadata:
+    name: Get PR metadata
+    runs-on: ubuntu-latest
+    outputs:
+      pr_num: ${{ steps.workflow_run_load_pr.outputs.pr_num || steps.workflow_dispatch_load_pr.outputs.pr_num }}
+      is_release_branch: ${{ steps.workflow_run_load_pr.outputs.is_release_branch || steps.workflow_dispatch_load_pr.outputs.is_release_branch }}
+    steps:
+
+      ### These steps run on workflow_run event only ###
+      - name: Download metadata
+        if: github.event_name == "workflow_run"
+        # release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v6
+        uses: dawidd6/action-download-artifact@bd10f381a96414ce2b13a11bfa89902ba7cea07f # ratchet:dawidd6/action-download-artifact@v6
+        with:
+          workflow: release-branches.yml
+          # workflow_conclusion: completed
+          run_id: ${{ github.event.workflow_run.id }}
+          name: release-branch-pr-metadata
+          path: ./artifacts
+
+      - name: "workflow_run: Load PR number"
+        id: workflow_run_load_pr
+        if: github.event_name == "workflow_run"
+        working-directory: ./artifacts
+        run: echo "pr_num=$(cat pr)" >> $GITHUB_OUTPUT
+
+      - name: "workflow_run: Load is_release_branch"
+        id: workflow_run_is_release_branch
+        if: github.event_name == "workflow_run"
+        working-directory: ./artifacts
+        run: echo "is_release_branch=$(cat is_release_branch)" >> $GITHUB_OUTPUT
+
+      ### These steps run on workflow_dispatch event only ###
+      - name: "workflow_dispatch: Load PR number"
+        id: workflow_dispatch_load_pr
+        if: github.event_name == "workflow_dispatch"
+        run: echo "pr_num=${{ github.event.inputs.pr }}" >> $GITHUB_OUTPUT
+
+      - name: "workflow_dispatch: Load is_release_branch"
+        id: workflow_dispatch_is_release_branch
+        if: github.event_name == "workflow_dispatch"
+        run: echo "is_release_branch=true" >> $GITHUB_OUTPUT
+
+  check_approval:
+    name: Check PR approval
+    if: needs.metadata.outputs.is_release_branch == 'true'
+    needs: metadata
+    runs-on: ubuntu-latest
+    steps:
+      # release notes: https://github.com/actions/checkout/releases/tag/v4.1.7
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
+        with:
+          # The default ref when triggered by the workflow_run event is the default branch -- main
+          # This means the build-tools from the main branch will always be used.
+          persist-credentials: false
+          submodules: false
+
+      # install and configure node, pnpm and the changeset tools
+      # release notes: https://github.com/pnpm/action-setup/releases/tag/v4.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # ratchet:pnpm/action-setup@v4
+
+      # release notes: https://github.com/actions/setup-node/releases/tag/v4.0.3
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # ratchet:actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: "pnpm"
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install Fluid build tools
+        continue-on-error: true
+        run: |
+          cd build-tools
+          pnpm install --frozen-lockfile
+          pnpm run build:compile
+          # We want flub available to call, so we run npm link in the build-cli package, which creates shims that are avilable on the PATH
+          # Use npm link instead of pnpm link because it handles bins better
+          cd packages/build-cli
+          npm link
+
+      - name: Check build-tools installation
+        run: |
+          # Info for debugging
+          which flub
+          flub --help
+          flub commands
+
+      - name: Check PR approval
+        env:
+          # The standard token doesn't have org:read permissions, and that scope can't be added using permissions in
+          # the workflow.
+          # GITHUB_TOKEN: ${{ secrets.ORGANIZATION_READ_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # This command will fail with an error if the PR is not approved, which
+          # will in turn cause the CI job to fail.
+          flub check prApproval \
+            --pr ${{ needs.metadata.outputs.pr_num }} \
+            --repo ${{ github.repository }} \
+            --team FluidFramework-ReleaseApprovers

.github/workflows/release-branches.yml

@@ -0,0 +1,83 @@
+# release-branches.yml
+#
+# Checks if a PR is targeting a client or server release branch or not, and uploads a CI artifact containing the
+# results, along with the PR number. This allows downstream workflows, such as release-approval, to be triggered by the
+# completion of this workflow and take further action based on the target branch.
+
+name: release-branches
+on:
+  pull_request:
+    types:
+      # This is triggered when the PR is opened. This is not strictly needed since the PR approval state is really
+      # what's evaluated. However, running the job on PR open causes an immediate failure which will make it clearer to
+      # the PR author what they need to do to unblock the merge.
+      - opened
+
+      # This is triggered when the PR branch has new commits pushed to it.
+      - synchronize
+
+      # This is triggered when the base branch changes; handles the case where you open a PR against one branch
+      # then change the base branch to a release branch.
+      - edited
+    branches:
+      - release/client/**
+      - release/server/**
+      - test/release/**
+
+  # This workflow needs to run on review changes because it evaluates the review state.
+  pull_request_review:
+    types:
+      - submitted
+      - dismissed
+
+permissions:
+  pull-requests: read
+
+jobs:
+  check_branch:
+    name: Check target branch
+    runs-on: ubuntu-latest
+    outputs:
+      # This output will be set to true if the target branch is a release branch; false otherwise.
+      is_release_branch: ${{ steps.is-release-branch.outputs.is_release_branch || steps.not-release-branch.outputs.is_release_branch }}
+    steps:
+      - name: Target is a release branch
+        id: is-release-branch
+        if: |
+          startsWith(github.event.pull_request.base.ref, 'release/client/') ||
+          startsWith(github.event.pull_request.base.ref, 'release/server/') ||
+          startsWith(github.event.pull_request.base.ref, 'test/release/')
+        run: |
+          echo "is_release_branch=true" >> $GITHUB_OUTPUT
+          echo ":ship: Release branch detected" >> $GITHUB_STEP_SUMMARY
+      - name: Target is not a release branch
+        id: not-release-branch
+        if: |
+          !(startsWith(github.event.pull_request.base.ref, 'release/client/') ||
+          startsWith(github.event.pull_request.base.ref, 'release/server/') ||
+          startsWith(github.event.pull_request.base.ref, 'test/release/'))
+        run: |
+          echo "is_release_branch=false" >> $GITHUB_OUTPUT
+          echo ":no_entry_sign: No release branch detected" >> $GITHUB_STEP_SUMMARY
+
+  save_metadata:
+    name: Save PR details
+    needs: check_branch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create artifacts folder
+        run: mkdir -p ./artifacts
+
+      - name: Save PR number
+        run: echo ${{ github.event.pull_request.number }} > ./artifacts/pr
+
+      - name: Save is_release_branch
+        run: echo ${{ needs.check_branch.outputs.is_release_branch }} > ./artifacts/is_release_branch
+
+      - name: Upload artifact
+        # release notes: https://github.com/actions/upload-artifact/releases/tag/v4.4.0
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/[email protected]
+        with:
+          name: release-branch-pr-metadata
+          path: ./artifacts
+          retention-days: 3

.releaseGroup

@@ -1 +1,3 @@
 The presence of this file in a directory indicates it is the root of a release group.
+
+edited