microsoft · zanejohnson-azure · May 28, 2026 · May 29, 2026 · May 29, 2026 · May 29, 2026
@@ -0,0 +1,115 @@
+---
+name: ama-logs-tag-release
+description: "Create and push the git tag (e.g. 3.4.0) for an ama-logs release after its release-notes PR has merged into ci_prod. Use when: 'tag the release', 'cut the 3.X.Y tag', 'create release tag', 'tag ci_prod for release'. DO NOT USE FOR: tagging hotfixes on branches other than ci_prod, creating GitHub Releases with binaries, or signing tags."
+argument-hint: "[version] — e.g. '3.4.0'. If omitted, infer from charts/azuremonitor-containerinsights/Chart.yaml."
+---
+
+# ama-logs Release Tag
+
+After the release-notes / chart-bump PR (see the `ama-logs-update-charts-release-notes` skill) lands on `ci_prod`, the release is tagged. The tag is what downstream pipelines and the publishing job key off of.
+
+This skill creates the `<VERSION>` git tag on the merge commit of the release PR and pushes it to `origin`. It mirrors the pattern used by `3.3.0` and `3.4.0`.
+
+## Required Inputs
+
+| Input | Description | Example |
+|-------|-------------|---------|
+| **VERSION** | The release version, no `v` prefix | `3.4.0` |
+| **Release PR number** | The merged release PR in `microsoft/Docker-Provider` | `1699` |
+
+If VERSION was not provided, read it from `charts/azuremonitor-containerinsights/Chart.yaml` (`version:` field). If the release PR number was not provided, find it with:
+
+```powershell
+gh pr list --repo microsoft/Docker-Provider --state merged --base ci_prod `
+  --search "<VERSION> Release notes in:title" --json number,title,mergeCommit,state
+```
+
+## Step-by-step procedure
+
+### Step 1: Verify the release PR is merged
+
+```powershell
+gh pr view <PR_NUM> --repo microsoft/Docker-Provider `
+  --json state,baseRefName,mergeCommit,mergedAt
+```
+
+Required values:
+- `state` must be `MERGED`.
+- `baseRefName` must be `ci_prod`.
+- `mergeCommit.oid` will be the SHA we tag.
+
+If the PR is not merged, **stop** and tell the user — never tag from an un-merged branch.
+
+### Step 2: Pull the latest tags and confirm the version isn't already tagged
+
+```powershell
+git fetch origin --tags 2>&1 | Select-Object -Last 5
+git tag -l <VERSION>
+```
+
+If `git tag -l <VERSION>` outputs anything, the tag already exists. Stop and confirm with the user — do not silently overwrite.
+
+### Step 3: Confirm the merge commit is reachable from origin/ci_prod
+
+```powershell
+git --no-pager log <MERGE_SHA> -1 --oneline
+git merge-base --is-ancestor <MERGE_SHA> origin/ci_prod; $LASTEXITCODE
+```
+
+The `log` line should match the release PR title (e.g. `3.4.0 Release notes (#1699)`). `$LASTEXITCODE` must be `0` — meaning the commit is on `ci_prod`. If it isn't, stop.
+
+### Step 4: Match the prior release's tag style
+
+Inspect the previous release tag to decide between a lightweight or annotated tag:
+
+```powershell
+git for-each-ref refs/tags/<PREV_VERSION> --format='%(objecttype) -> %(*objectname)%(objectname)'
+```
+
+- `commit -> <sha>` → lightweight tag (no annotation).
+- `tag -> <sha>` → annotated tag.
+
+The current convention in this repo is **lightweight tags** (e.g. `3.3.0`, `3.4.0`). Stay consistent unless the user explicitly asks for an annotated/signed tag.
+
+### Step 5: Create the tag
+
+Lightweight (default — matches existing convention):
+
+```powershell
+git tag <VERSION> <MERGE_SHA>
+```
+
+Annotated (only if the prior release used `tag -> ...`):
+
+```powershell
+git tag -a <VERSION> <MERGE_SHA> -m "Release <VERSION>"
+```
+
+### Step 6: Push the tag
+
+Push only the new tag — never `git push --tags` from a worktree, which can leak local-only tags.
+
+```powershell
+git push origin refs/tags/<VERSION> 2>&1 | Select-Object -Last 5
+```
+
+Expected output ends with `* [new tag]   <VERSION> -> <VERSION>`.
+
+### Step 7: Verify on origin and report
+
+```powershell
+gh api repos/microsoft/Docker-Provider/git/refs/tags/<VERSION> --jq '{ref, sha: .object.sha, type: .object.type}'
+```
+
+`sha` must equal `<MERGE_SHA>` (or the annotated-tag object pointing to it). Print to the user:
+- Tag name and SHA
+- Link: `https://github.com/microsoft/Docker-Provider/releases/tag/<VERSION>`
+- Reminder: the build/publish pipeline triggers off this tag — confirm with the release owner before walking away.
+
+## Important rules
+
+- **No `v` prefix.** Tags are bare versions: `3.4.0`, not `v3.4.0`.
+- **Tag the merge commit of the release PR**, never the PR's head commit on the feature branch and never an arbitrary commit on `ci_prod`. The merge commit is reproducible and is what reviewers approved.
+- **Never** force-push or move an existing release tag. If the tag is wrong, talk to the release owner — moving it can break downstream pipelines and consumers who already pulled the prior SHA.
+- **Never** create the tag from a stale local `ci_prod`. Always `git fetch origin --tags` first.
+- **Never** create a GitHub Release in this skill — publishing/release-notes-on-GitHub is a separate manual step owned by the release manager.
@@ -0,0 +1,219 @@
+---
+name: ama-logs-update-charts-release-notes
+description: "Prepare an ama-logs release PR: bump the image tag (X.Y.Z) across Helm charts, manifests, and Dockerfiles, and add a formatted ReleaseNotes.md entry. Use when: cutting a new ama-logs release, '3.X.Y release notes', 'bump ciprod image tag', 'release PR for Docker-Provider', creating release notes for a new ciprod build. DO NOT USE FOR: MDSD or Windows AMA bumps in isolation, hotfix patches, or anything that does not increment the ciprod image tag."
+argument-hint: "[old version] [new version] — e.g. '3.3.0' '3.4.0'. If omitted, infer old from charts/azuremonitor-containerinsights/Chart.yaml and ask the user for new."
+---
+
+# ama-logs Release PR: Chart Bump + Release Notes
+
+This skill prepares a release PR in `microsoft/Docker-Provider` that bumps the ciprod image tag across all Helm charts, Kubernetes manifests, and Dockerfiles, and adds a formatted entry to `ReleaseNotes.md`. It mirrors the structure used by recent release PRs (e.g. #1656 for 3.3.0, #1699 for 3.4.0).
+
+## Required Inputs
+
+| Input | Description | Example |
+|-------|-------------|---------|
+| **OLD version** | Current ciprod tag (Linux side) | `3.3.0` |
+| **NEW version** | Target ciprod tag | `3.4.0` |
+| **Release date** | Date for the ReleaseNotes.md heading (today, MM/DD/YYYY) | `05/28/2026` |
+| **PRs in scope** | All PRs merged into `ci_prod` since the previous release | (queried below) |
+
+If the user did not provide OLD/NEW, read OLD from `charts/azuremonitor-containerinsights/Chart.yaml` (`version:` field) and ask for NEW.
+
+## Pre-flight: figure out what changed
+
+### Identify the PRs in this release
+
+List every PR merged into `ci_prod` since the previous release's merge commit:
+
+```powershell
+# Get the merge commit of the previous release PR (e.g. #1656 for 3.3.0)
+gh pr list --repo microsoft/Docker-Provider --state merged --base ci_prod --search "<OLD> release notes in:title" --json number,mergeCommit,mergedAt
+
+# Then list PRs merged after that date
+gh pr list --repo microsoft/Docker-Provider --state merged --base ci_prod --search "merged:>=<DATE>" --json number,title,author,mergedAt --limit 100
+```
+
+For each PR, capture: number, title, author (`login`), and merged date.
+
+**Author attribution rules:**
+- Human authors: use their GitHub login verbatim, prefixed with `@` (e.g. `@zanejohnson-azure`).
+- Bot authors: `gh pr view` returns `app/azure-monitor-assistant` — strip the `app/` prefix and write `@azure-monitor-assistant`.
+
+**Title rewriting:** If a PR title is messy (e.g. branch-style `Zane/fix fluentd procstat pattern`), rewrite it to a clean conventional-commit-style title (`fix: fluentd procstat pattern`). Keep clean titles verbatim.
+
+### Classify each PR — Common vs Infra
+
+This is the most error-prone step. Use these rules:
+
+- **Common (Linux + Windows)** — anything that ships *inside* the ciprod image:
+  - CVE fixes in gems/packages baked into the image (`erb`, `jwt`, etc.)
+  - Go / Telegraf / Fluent-bit / Fluentd / MDSD / Windows AMA upgrades
+  - Ruby/plugin code changes (e.g. fluentd config bugs)
+- **Infra** — anything that does NOT ship in the image:
+  - Pipeline/CI changes (release pipeline, build pipeline, e2e jobs)
+  - Helm chart-only fixes that aren't bundled in the image
+  - Documentation, test yamls, robot/automation workflows
+  - Skill files
+
+When in doubt: "does this change the bits inside `ciprod:<NEW>`?" If yes → Common. If no → Infra.
+
+### Get azurelinux and Ruby versions FROM THE CONTAINER
+
+Do **not** copy these from the previous release entry. Pull the published `ciprod:<OLD>` image (or `ciprod:<NEW>` if it has already been built) and read them out — they may have shifted even if you didn't bump anything explicitly, because `mcr.microsoft.com/azurelinux/base/core:3.0` is a floating base tag.
+
+```powershell
+# Docker Desktop must be running. If not:
+#   Start-Process "C:\Program Files\Docker\Docker\Docker Desktop.exe"
+#   Start-Sleep -Seconds 60
+
+docker pull mcr.microsoft.com/azuremonitor/containerinsights/ciprod:<OLD>
+docker run --rm --entrypoint cat mcr.microsoft.com/azuremonitor/containerinsights/ciprod:<OLD> /etc/os-release | Select-String '^VERSION='
+# => VERSION="3.0.20260517"
+
+docker run --rm --entrypoint ruby mcr.microsoft.com/azuremonitor/containerinsights/ciprod:<OLD> -e "puts RUBY_VERSION"
+# => 3.3.10  (x86_64 amalogs; the arm64 build may differ — keep both lines if so)
+```
+
+If `ciprod:<NEW>` is already published (CI built it), re-run against `:<NEW>` to confirm nothing shifted.
+
+## File edits — exact list
+
+These eight files **always** change on a release. Do not add or remove files unless the user explicitly asks.
+
+### 1. `charts/azuremonitor-containerinsights/Chart.yaml`
+- `version: <OLD>` → `version: <NEW>`
+- Leave `appVersion` alone unless the user says otherwise.
+
+### 2. `charts/azuremonitor-containerinsights/values.yaml`
+- `imageTagLinux: "<OLD>"` → `"<NEW>"`
+- `imageTagWindows: "win-<OLD>"` → `"win-<NEW>"`
+- `tag: "<OLD>"` → `"<NEW>"` (inside the `amalogs.image` block)
+- `tagWindows: "win-<OLD>"` → `"win-<NEW>"`
+- **Do NOT** touch `agentVersion` (MDSD) or `winAgentVersion` (Win AMA) unless those components were actually bumped this cycle.
+
+### 3. `charts/azuremonitor-containers/Chart.yaml`
+- `version: <OLD>` → `version: <NEW>`
+
+### 4. `charts/azuremonitor-containers/values.yaml`
+- `tag: "<OLD>"` → `"<NEW>"`
+- `tagWindows: "win-<OLD>"` → `"win-<NEW>"`
+
+### 5. `charts/azuremonitor-containers-geneva/values.yaml`
+- `tag: "<OLD>"` → `"<NEW>"`
+
+### 6. `kubernetes/ama-logs.yaml`
+- Replace every `mcr.microsoft.com/azuremonitor/containerinsights/ciprod:<OLD>` with `:<NEW>`.
+- Replace every `:win-<OLD>` with `:win-<NEW>`.
+- **Include commented-out blocks** — prior release PRs update those too (e.g. the dev/test image comment).
+- Do NOT touch `agentVersion:` annotations or RBAC rules unless the user explicitly asked.
+
+### 7. `kubernetes/linux/Dockerfile.multiarch`
+- `ARG IMAGE_TAG=<OLD>` → `ARG IMAGE_TAG=<NEW>`
+
+### 8. `kubernetes/windows/Dockerfile`
+- `ARG IMAGE_TAG=win-<OLD>` → `ARG IMAGE_TAG=win-<NEW>`
+
+## ReleaseNotes.md entry
+
+Insert at the **top** of the `## Release History` section, immediately below the heading and above the previous release's entry. Follow the exact format of the most recent prior entry. Keep one trailing blank line so entries are visually separated.
+
+```markdown
+### <MM/DD/YYYY> -
+##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:<NEW> (linux)
+##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:win-<NEW> (windows)
+- Linux
+  - [azurelinux <AZL_VERSION>](https://github.com/microsoft/azurelinux/releases/tag/<AZL_VERSION>-3.0)
+  - Golang - <GO_VERSION>
+  - Ruby - arm64 - <RUBY_ARM64>, x86_64 - <RUBY_X86>
+  - MDSD - <MDSD_VERSION>
+  - Telegraf - <TELEGRAF_LINUX>
+  - Fluent-bit - <FLUENTBIT_LINUX>
+  - Fluentd - <FLUENTD>
+- Windows
+  - Golang - <GO_VERSION>
+  - Ruby - <RUBY_WIN>
+  - Windows AMA - <WIN_AMA>
+  - Telegraf - <TELEGRAF_WIN>
+  - Fluent-bit - <FLUENTBIT_WIN>
+  - Fluentd - <FLUENTD>
+##### Code change log
+## What's Changed
+- Common (Linux + Windows)
+    * <Title> by @<author> in https://github.com/microsoft/Docker-Provider/pull/<num>
+    * ...
+
+- Infra
+    * <Title> by @<author> in https://github.com/microsoft/Docker-Provider/pull/<num>
+    * ...
+
+```
+
+**Formatting rules:**
+- One PR per line. If multiple PRs share the same title (e.g. four Go upgrade auto-PRs), still emit one line per PR — do NOT consolidate.
+- Always include the full `https://github.com/microsoft/Docker-Provider/pull/<num>` URL — not a markdown link.
+- Use a blank line between the `Common` and `Infra` blocks.
+- For dependency versions not bumped this cycle, copy the value from the previous entry **but verify against the chart values files and the container** — don't trust the prior entry blindly.
+
+## Verification before commit
+
+Run from the repo root and confirm no stray old-version references remain in files that should have been bumped:
+
+```powershell
+git --no-pager diff --stat
+git --no-pager grep -n "<OLD>" -- charts kubernetes
+git --no-pager grep -n "win-<OLD>" -- charts kubernetes
+```
+
+Remaining matches are acceptable **only** in:
+- Older `ReleaseNotes.md` entries (anywhere outside the new entry).
+- Test fixtures, scripts, or comments that intentionally pin `<OLD>`.
+
+If anything else still references `<OLD>` under `charts/` or `kubernetes/`, fix it before committing.
+
+## Commit, push, PR
+
+**One commit.** Message:
+
+```
+<NEW> release notes and chart update
+
+Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
+```
+
+Use the auto-created session branch (do not create a new branch manually). Push and open the PR against `ci_prod`:
+
+```powershell
+git add charts kubernetes ReleaseNotes.md
+git commit -m "<NEW> release notes and chart update`n`nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>"
+git push 2>&1 | Select-Object -Last 5
+```
+
+Open the PR with the `create_pull_request` tool (or `gh pr create`):
+- **Title:** `<NEW> Release notes`
+- **Base:** `ci_prod`
+- **Body:** brief summary mirroring the prior release PR — call out (1) image tag bump `<OLD> → <NEW>` across charts/manifests/Dockerfiles, (2) the release notes entry with dep changes, (3) which components are unchanged this cycle (e.g. MDSD, Windows AMA). Reference the previous release PR as the template.
+- **Not** a draft.
+
+## Iteration: moving PRs between sections
+
+Reviewers will often ask to reclassify or rename a PR entry after the initial PR is open. Make one focused commit per move/rename:
+
+```
+fix(release-notes): move #<num> <short title> to <Common|Infra> section
+```
+
+or
+
+```
+fix(release-notes): rename #<num> to "<new title>"
+```
+
+Always re-grep the file to make sure each PR appears in exactly one section after the move.
+
+## Important rules
+
+- **Never** invent dependency versions. Pull them from the chart values files or the container.
+- **Never** bump MDSD or Windows AMA versions unless the user explicitly says so — they are tracked in `agentVersion` / `winAgentVersion` and are decoupled from the ciprod tag.
+- **Never** modify unrelated files (CI yamls, source code, RBAC rules) inside this skill's PR. Other PRs already in the release brought those changes — this PR is *only* the tag bump and the notes.
+- **Never** mark the PR as draft.
+- Keep edits idempotent: re-running the skill against the same OLD/NEW must not produce a second diff.
@@ -8,6 +8,54 @@ information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeo
 additional questions or comments.
 
 ## Release History
+### 05/28/2026 -
+##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.4.0 (linux)
+##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:win-3.4.0 (windows)
+- Linux
+  - [azurelinux 3.0.20260517](https://github.com/microsoft/azurelinux/releases/tag/3.0.20260517-3.0)
+  - Golang - 1.26.3
+  - Ruby - arm64 - 3.3.5-7, x86_64 - 3.3.10
+  - MDSD - 1.40.3
+  - Telegraf - 1.38.4
+  - Fluent-bit - 5.0.4
+  - Fluentd - 1.16.3
+- Windows
+  - Golang - 1.26.3
+  - Ruby - 3.1.1
+  - Windows AMA - 47.7.1
+  - Telegraf - 1.24.2
+  - Fluent-bit - 5.0.3
+  - Fluentd - 1.16.3
+##### Code change log
+## What's Changed
+- Common (Linux + Windows)
+    * Fix CVE-2026-41316: upgrade erb gem to 4.0.3.1 in ama-logs Linux image by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1692
+    * Fix CVE-2026-45363: upgrade jwt gem to 3.2.0 by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1693
+    * chore(deps): Upgrade Go to 1.26.3 and update dependencies by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1676
+    * chore(deps): Upgrade Go to 1.26.3 and update dependencies by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1690
+    * chore(deps): Upgrade Go to 1.26.3 and update dependencies by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1694
+    * chore(deps): Upgrade Go to 1.26.3 and update dependencies by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1696
+    * Upgrade telegraf-agent to 1.38.3 by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1670
+    * Upgrade telegraf-agent to 1.38.4 by @azure-monitor-assistant in https://github.com/microsoft/Docker-Provider/pull/1685
+    * Upgrade fluent-bit (Linux 5.0.4, Windows 5.0.3) by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1671
+    * fix: fluentd procstat pattern by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1662
+
+- Infra
+    * Fix Windows multiline test yamls by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1686
+    * Migrate release pipeline to SDP by @wanlonghenry in https://github.com/microsoft/Docker-Provider/pull/1681
+    * Update pipeline for merged chart integration by @wanlonghenry in https://github.com/microsoft/Docker-Provider/pull/1682
+    * fix(helm): coerce OmsAgent.isUsingAADAuth to a boolean by @rashmichandrashekar in https://github.com/microsoft/Docker-Provider/pull/1679
+    * fix: add --force-conflicts to helm deploy to resolve server-side apply ownership conflicts by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1667
+    * ci: auto-trigger build pipeline for robot upgrade branches by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1688
+    * chore: Add automated Go version upgrade workflow by @suyadav1 in https://github.com/microsoft/Docker-Provider/pull/1665
+    * Add automated telegraf-agent upgrade workflow by @suyadav1 in https://github.com/microsoft/Docker-Provider/pull/1652
+    * fix(ci): use variable reference for AllNodesClientId in e2e test stage by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1683
+    * Update OmsAgent.ImageTagLinux Toggle Document by @NicAtMS in https://github.com/microsoft/Docker-Provider/pull/1684
+    * Add multiline-validation skill by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1687
+    * add e2e tests to all nodes clusters by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1677
+    * remove deployment verification by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1678
+    * pipelines: add ci-logs-dev-aks-all-nodes deploy job by @zanejohnson-azure in https://github.com/microsoft/Docker-Provider/pull/1666
+
 ### 04/22/2026 -
 ##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.3.0 (linux)
 ##### Version mcr.microsoft.com/azuremonitor/containerinsights/ciprod:win-3.3.0 (windows)

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: azuremonitor-containers
 description: Azure Monitor container monitoring agent Helm chart for Kubernetes (supports both AKS addon and Arc K8s extension)
-version: 3.3.0
+version: 3.4.0
 appVersion: 7.0.0-1
 kubeVersion: "^1.10.0-0"
 keywords: