You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(issue #7627, rubric finding: 4+ of 43 ci-scan runs consumed 2.4M+ effective tokens before concluding with no follow-up build yet, defer to next run — a 10× token variance versus low-ET runs on identical pipeline state; the existing "and stop" sentence in Step 1 was not being respected as a hard constraint, link)
(issue #7630, duplicate proposal of same fix, link)
(issue #7636, third failed PR attempt for same fix — patch file available in run 27735971402 artifact, link)
Proposed edits
.github/workflows/ci-scan.agent.md lines 80–82: Add Hard Rule 10 that elevates the no-scannable-build exit to a first-class invariant. The existing Step 1 "and stop" sentence was not preventing the agent from continuing to fetch timelines and logs. Hard Rule 10 names the exact operations forbidden (fetch a timeline, download any log, query any Helix work item) and gives the tally row literal so the agent never needs to compute it.
.github/workflows/ci-scan.agent.md line 92: Update Step 1's trailing sentence to reference Hard Rule 10 directly instead of restating the skip-reason list inline.
Expected behavior change
On any run where Step 1 yields no follow-up build yet, defer to next run (or either other selection-time skip reason), the scanner will append the reason to the coverage file, print the tally row | 0 | 0 | 0 | 1 |, call noop, and stop — without fetching any AzDO timeline, Helix work item, or task log. This eliminates the observed 10× token variance between runs on identical pipeline state and prevents the recurring pattern of 2.4M+ ET runs that produce the same noop outcome.
The patch file is available in the agent artifact in the workflow run linked above.
To create a pull request with the changes:
# Download the artifact from the workflow run
gh run download 27804701902 -n agent -D /tmp/agent-27804701902
# Create a new branch
git checkout -b fix/ci-scan-hard-rule-10-early-exit-cb94654e9999b5b0
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-27804701902/aw-fix-ci-scan-hard-rule-10-early-exit.patch
# Push the branch to origin
git push origin fix/ci-scan-hard-rule-10-early-exit-cb94654e9999b5b0
# Create the pull request
gh pr create --title '[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build' --base main --head fix/ci-scan-hard-rule-10-early-exit-cb94654e9999b5b0 --repo dotnet/machinelearning
Show patch preview (51 of 51 lines)
From c63e7644e19190e3bffcd65364f1a64f26aca9dc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 19 Jun 2026 04:12:43 +0000
Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable
build
4 of 43 ci-scan runs (>9%) consumed 2.4M+ effective tokens before
concluding with a selection-time skip reason that should have stopped
the run immediately after Step 1. The existing 'and stop' sentence
was not preventing further fetching of timelines, logs, and Helix data.
Add Hard Rule 10 which elevates the no-scannable-build exit to the same
level as the issue-cap and label rules: append the skip reason, print
the tally row, call noop, and stop -- without fetching any timeline,
log, or Helix data.
Update Step 1's trailing sentence to reference Hard Rule 10 directly
instead of restating the skip-reason list inline.
Signal: issues #7627, #7630, #7636 (three failed PR attempts).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
.github/workflows/ci-scan.agent.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md
index 0937c5f..1ace995 100644
--- a/.github/workflows/ci-scan.agent.md+++ b/.github/workflows/ci-scan.agent.md@@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar
7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell.
8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment constraints](shared/ci-scan.instructions.md#environment-constraints) (pre-bind URLs, `%24top`, no redirection).
9. **Sanitize every embedded log excerpt** per [Sanitization](shared/ci-scan.instructions.md#sanitization).
+10. **Exit at Step 1 on no scannable build.** If Step 1 yields any selection-time skip reason (`stale build window (>14d)`, `no follow-u
... (truncated)
Triggering signals
no follow-up build yet, defer to next run— a 10× token variance versus low-ET runs on identical pipeline state; the existing "and stop" sentence in Step 1 was not being respected as a hard constraint, link)Proposed edits
.github/workflows/ci-scan.agent.mdlines 80–82: Add Hard Rule 10 that elevates the no-scannable-build exit to a first-class invariant. The existing Step 1 "and stop" sentence was not preventing the agent from continuing to fetch timelines and logs. Hard Rule 10 names the exact operations forbidden (fetch a timeline,download any log,query any Helix work item) and gives the tally row literal so the agent never needs to compute it..github/workflows/ci-scan.agent.mdline 92: Update Step 1's trailing sentence to reference Hard Rule 10 directly instead of restating the skip-reason list inline.Expected behavior change
On any run where Step 1 yields
no follow-up build yet, defer to next run(or either other selection-time skip reason), the scanner will append the reason to the coverage file, print the tally row| 0 | 0 | 0 | 1 |, callnoop, and stop — without fetching any AzDO timeline, Helix work item, or task log. This eliminates the observed 10× token variance between runs on identical pipeline state and prevents the recurring pattern of 2.4M+ ET runs that produce the same noop outcome.Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the
agentartifact in the workflow run linked above.To create a pull request with the changes:
Show patch preview (51 of 51 lines)