You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(issue #7627, rubric finding: 4 of 39 ci-scan runs consumed 2.4M+ effective tokens before concluding with no follow-up build yet, defer to next run — a 10× token variance versus low-ET runs on identical pipeline state; the existing "and stop" sentence was not being respected as a hard constraint)
Proposed edits
.github/workflows/ci-scan.agent.md lines 80–92: Add Hard Rule 10 that elevates the no-scannable-build exit to a first-class invariant. The existing Step 1 sentence "and stop" was not preventing the agent from continuing to fetch timelines and logs. Hard Rule 10 names the exact operations that are forbidden (fetch a timeline, download any log) and gives the tally row literal so the agent never needs to compute it. Also update the Step 1 trailing sentence to reference Hard Rule 10 instead of restating the skip-reason list.
Expected behavior change
On any run where Step 1 yields no follow-up build yet, defer to next run (or either other selection-time skip reason), the scanner will append the reason to the coverage file, print the tally row, call noop, and stop — without fetching any AzDO timeline, Helix work item, or task log. This eliminates the observed 10× token variance between runs on identical pipeline state.
Note
🔒 Integrity filter blocked 1 item
The following item was blocked because it doesn't meet the GitHub integrity level.
#7610list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
The patch file is available in the agent artifact in the workflow run linked above.
To create a pull request with the changes:
# Download the artifact from the workflow run
gh run download 27735971402 -n agent -D /tmp/agent-27735971402
# Create a new branch
git checkout -b fix/ci-scan-hard-rule-10-early-exit-af95c8a9e2c72897
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-27735971402/aw-fix-ci-scan-hard-rule-10-early-exit.patch
# Push the branch to origin
git push origin fix/ci-scan-hard-rule-10-early-exit-af95c8a9e2c72897
# Create the pull request
gh pr create --title '[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build' --base main --head fix/ci-scan-hard-rule-10-early-exit-af95c8a9e2c72897 --repo dotnet/machinelearning
Show patch preview (50 of 50 lines)
From b1a5dae1ec5ce554fb39fa003cd6fb79b4dc9a94 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 18 Jun 2026 04:12:42 +0000
Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable
build
4 of 39 ci-scan runs (10%) consumed 2.4M+ effective tokens before
concluding with the same skip reason ('no follow-up build yet, defer
to next run') that should have stopped the run immediately after Step 1.
The existing 'and stop' sentence in Step 1 was insufficient as a hard
constraint. (Signal: issue #7627.)
Add Hard Rule 10 which elevates the no-scannable-build exit to the same
level as the issue-cap and label rules: append the skip reason, print
the tally, call noop, and stop -- without fetching any timeline, log, or
Helix data.
Update Step 1's trailing sentence to reference Hard Rule 10 directly
instead of restating the skip-reason list.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
.github/workflows/ci-scan.agent.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md
index 0937c5f..5c32474 100644
--- a/.github/workflows/ci-scan.agent.md+++ b/.github/workflows/ci-scan.agent.md@@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar
7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell.
8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment constraints](shared/ci-scan.instructions.md#environment-constraints) (pre-bind URLs, `%24top`, no redirection).
9. **Sanitize every embedded log excerpt** per [Sanitization](shared/ci-scan.instructions.md#sanitization).
+10. **Exit at Step 1 on no scannable build.** If Step 1 yields any skip reason (`stale build window (>14d)`, `no follow-up build yet, defer to next run`, or `no failed build
... (truncated)
Triggering signals
no follow-up build yet, defer to next run— a 10× token variance versus low-ET runs on identical pipeline state; the existing "and stop" sentence was not being respected as a hard constraint)Proposed edits
.github/workflows/ci-scan.agent.mdlines 80–92: Add Hard Rule 10 that elevates the no-scannable-build exit to a first-class invariant. The existing Step 1 sentence "and stop" was not preventing the agent from continuing to fetch timelines and logs. Hard Rule 10 names the exact operations that are forbidden (fetch a timeline,download any log) and gives the tally row literal so the agent never needs to compute it. Also update the Step 1 trailing sentence to reference Hard Rule 10 instead of restating the skip-reason list.Expected behavior change
On any run where Step 1 yields
no follow-up build yet, defer to next run(or either other selection-time skip reason), the scanner will append the reason to the coverage file, print the tally row, callnoop, and stop — without fetching any AzDO timeline, Helix work item, or task log. This eliminates the observed 10× token variance between runs on identical pipeline state.Note
🔒 Integrity filter blocked 1 item
The following item was blocked because it doesn't meet the GitHub integrity level.
list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the
agentartifact in the workflow run linked above.To create a pull request with the changes:
Show patch preview (50 of 50 lines)
From b1a5dae1ec5ce554fb39fa003cd6fb79b4dc9a94 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 04:12:42 +0000 Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable build 4 of 39 ci-scan runs (10%) consumed 2.4M+ effective tokens before concluding with the same skip reason ('no follow-up build yet, defer to next run') that should have stopped the run immediately after Step 1. The existing 'and stop' sentence in Step 1 was insufficient as a hard constraint. (Signal: issue #7627.) Add Hard Rule 10 which elevates the no-scannable-build exit to the same level as the issue-cap and label rules: append the skip reason, print the tally, call noop, and stop -- without fetching any timeline, log, or Helix data. Update Step 1's trailing sentence to reference Hard Rule 10 directly instead of restating the skip-reason list. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci-scan.agent.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md index 0937c5f..5c32474 100644 --- a/.github/workflows/ci-scan.agent.md +++ b/.github/workflows/ci-scan.agent.md @@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar 7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell. 8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment constraints](shared/ci-scan.instructions.md#environment-constraints) (pre-bind URLs, `%24top`, no redirection). 9. **Sanitize every embedded log excerpt** per [Sanitization](shared/ci-scan.instructions.md#sanitization). +10. **Exit at Step 1 on no scannable build.** If Step 1 yields any skip reason (`stale build window (>14d)`, `no follow-up build yet, defer to next run`, or `no failed build ... (truncated)