[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build

[github-actions]

Triggering signals

• (issue #7627, rubric finding: selection-time skip reached after 2.4M+ ET on timelines/logs/Helix data, link)
• (issue #7630, second failed PR attempt for same fix, link)
• (issue #7636, third failed PR attempt, link)
• (issue #7637, fourth failed PR attempt, link)
• (issue #7639, fifth failed PR attempt, link)
• Run #27856032094 (2026-06-20T01:25:55Z): conclusion: failure, GH_AW_EFFECTIVE_TOKENS: 2407092 — 5th high-ET run (10% of all 51 runs) burning 2.4M+ ET on timeline/log/Helix fetches that are unreachable once Step 1 yields a selection-time skip.

Proposed edits

• .github/workflows/ci-scan.agent.md (Hard Rules section, after rule 9): Add Hard Rule 10 that elevates the no-scannable-build exit to a first-class constraint — names exact forbidden operations (AzDO timeline fetch, task log download, Helix query) and provides the literal tally output so the agent never has to compute it.
• .github/workflows/ci-scan.agent.md (Step 1 trailing sentence): Replace inline restatement of skip-reason list with single reference to Hard Rule 10 so the constraint is stated once, authoritatively.

Expected behavior change

On any run where Step 1 yields a selection-time skip reason (no follow-up build yet, defer to next run, stale build window (>14d), or no failed build in 7d), the scanner will write that reason to the coverage file, print | 0 | 0 | 0 | 1 | to the agent log, call noop, and stop — without fetching any AzDO timeline, downloading any task log, or querying any Helix work item. This eliminates the observed 10× token variance (250K vs 2.4M+ ET) between correct low-ET runs and high-ET runs on identical pipeline state.

Note

🔒 Integrity filter blocked 6 items

The following items were blocked because they don't meet the GitHub integrity level.

• #7610 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7606 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7605 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7604 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7586 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7575 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by CI Failure Scanner - Feedback (machinelearning) · ● 4.8M · ◷

---

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 27893029845 -n agent -D /tmp/agent-27893029845

# Create a new branch
git checkout -b ci-scan-feedback/hard-rule-10-early-exit-v6-ace540b87f754f81

# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-27893029845/aw-ci-scan-feedback-hard-rule-10-early-exit-v6.patch

# Push the branch to origin
git push origin ci-scan-feedback/hard-rule-10-early-exit-v6-ace540b87f754f81

# Create the pull request
gh pr create --title '[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build' --base main --head ci-scan-feedback/hard-rule-10-early-exit-v6-ace540b87f754f81 --repo dotnet/machinelearning

Show patch preview (56 of 56 lines)

From 2855ba8ddded8f5f6127cdaacd654cc07345842a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 04:13:23 +0000
Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable
 build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

5 of 51 ci-scan runs consumed 2.4M+ effective tokens before concluding
with a selection-time skip reason that could have stopped the run at
Step 1 in ~250K ET. The existing 'and stop' sentence was not preventing
the agent from fetching timelines, logs, and Helix data.

Add Hard Rule 10: when Step 1 yields any selection-time skip reason
(no follow-up build yet / stale / no failures), write the skip reason,
print | 0 | 0 | 0 | 1 |, call noop, and stop — without fetching any
AzDO timeline, downloading any task log, or querying any Helix work
item.

Update Step 1's trailing sentence to reference Hard Rule 10 directly
instead of restating the skip-reason list inline.

Signal: issues #7627, #7630, #7636, #7637, #7639 (five failed attempts);
run #27856032094 (GH_AW_EFFECTIVE_TOKENS: 2407092, conclusion: failure).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci-scan.agent.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md
index 0937c5f..afb77cd 100644
--- a/.github/workflows/ci-scan.agent.md
+++ b/.github/workflows/ci-scan.agent.md
@@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar
 7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell.
 8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment constraints](shared/ci-scan.instructions.md#environment-constraints) (pre-bind URLs, `%24top`, no redirection).
 9. **Sanitize every embedded
... (truncated)