Add agentic workflow for labelling azd extension PRs

[JeffreyCA]

This PR introduces a GitHub Agentic Workflow and adds an extension-focused PR labeler for first-party azd extensions under cli/azd/extensions/** and closely related Azure AI design docs.

Note

This workflow uses safe-outputs.add-labels.allowed: [area/extensions, ext-*] so new extension labels can be picked up without editing the workflow each time. Runtime glob matching for allowed was recently added in github/gh-aw#32027

• Recompile workflow after Support glob patterns in allowed label filters for safe-outputs github/gh-aw#32027 is released in new version of gh-aw

What changes

• Adds an Agentic Workflow that runs for PRs touching cli/azd/extensions/** or cli/azd/docs/**.
• Infers related extension IDs from extension folder names, explicit IDs in docs, and strongly related doc topics.
• Applies the matching ext-* label for mapped extension IDs.
• Applies multiple ext-* labels when a PR relates to multiple mapped extension IDs.
• Falls back to area/extensions when extension-related changes do not match a current ext-* mapping.

Agentic Workflow setup

Because this is the first Agentic Workflow in the repository, this PR also includes the required gh-aw setup artifacts generated from gh aw init:

• Agent instructions/configuration
• MCP configuration
• Action pin metadata
• Lock-file Git attributes
• Copilot setup changes to install the gh-aw CLI

These files support compiling and maintaining the generated workflow lock file and make future Agentic Workflow changes reproducible for reviewers and agents.

Safety and references

The workflow follows gh-aw guidance for Markdown-based workflows, compiled lock files, read-only agent permissions, and GitHub writes through safe-outputs.add-labels:

• https://raw.githubusercontent.com/github/gh-aw/main/create.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/safe-outputs.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/triggers.md

Operational note: the default Copilot engine uses the COPILOT_GITHUB_TOKEN GitHub Actions secret for Copilot CLI authentication. The current PAT expires on August 12, 2026 and should be renewed/rotated before then using the gh-aw AI engine secret guidance:

• https://github.github.com/gh-aw/reference/auth/#github-actions-secrets-for-ai-engines

Validation

Tested and verified on fork repo PR

[jongio]

The security model here is solid - read-only agent permissions, safe-outputs constrained to add_labels with an allowlist, team membership gating in pre_activation, and AWF firewall sandboxing. pull_request_target is the right trigger since this needs to label fork PRs too.

One question on the doc version references in the agent instructions file - see inline comment.

nit: .github/mcp.json is missing a trailing newline.

[jongio]

[MEDIUM] The documentation URLs throughout this file reference gh-aw v0.72.1 (13 occurrences on lines 34, 56, 66, 76, etc.), but the compiled lock file and copilot-setup-steps.yml both use v0.74.3. Is this intentional - e.g., these docs are pinned to a known-good version that was tested? Or should they be updated to match?

If the prompt files at those URLs changed between versions, this agent would load stale instructions when developers use it to create or update workflows.

[jongio]

[LOW] nit: missing newline at end of file.