[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build

[github-actions]

Triggering signals

• (issues #7627, #7630, #7636, #7637, #7639, #7640, #7641, #7642 — rubric finding: eight prior ci-scan-feedback runs filed this same proposed edit as fallback issues instead of PRs because git push to origin kept failing; branch dated 2026-06-24 is the 9th attempt)
• Rubric finding: of 63 ci-scan runs since window-start (2026-06-08T13:53:53Z), the recurring skip reason is stale build window (>14d) / no follow-up build yet, defer to next run. Runs hitting these conditions consumed 2.2–2.4M+ effective tokens before concluding with noop — approximately 10× the ~250K ET of a correctly-halting Step 1 exit.
• Rubric finding (tally honesty): skip-only runs emit | 0 | 0 | 0 | 0 | (wrong) instead of | 0 | 0 | 0 | 1 | (correct). Hard Rule 10 fixes this by mandating a skipped-with-reason=1 tally on every skip-only run.

Proposed edits

• .github/workflows/ci-scan.agent.md:81 (Hard Rules section, after rule 9): Add Hard Rule 10 that names exact forbidden operations (AzDO timeline fetch, log download, Helix query) and mandates the literal tally row | 0 | 0 | 0 | 1 | — tied to the signal above (eight prior failed attempts + ~10× token variance).
• .github/workflows/ci-scan.agent.md:92 (Step 1 trailing sentence): Replace the inline restatement of the three skip reasons with a single reference to Hard Rule 10 so the constraint is stated once, authoritatively — eliminates the ambiguity that let previous scanner runs continue past the skip condition.

Expected behavior change

On any run where Step 1 yields a selection-time skip (no follow-up build yet, defer to next run, stale build window (>14d), or no failed build in 7d), the scanner will append the reason to the coverage file, print | 0 | 0 | 0 | 1 |, call noop, and stop immediately — without fetching any AzDO timeline, downloading any task log, or querying any Helix work item. This eliminates the observed ~10× token variance between correct low-ET runs (~250K ET) and high-ET runs (2.2–2.4M+ ET) on identical pipeline state, and ensures the tally row correctly shows skipped-with-reason=1 on skip-only runs.

Generated by CI Failure Scanner - Feedback (machinelearning) · ● 3.1M · ◷

---

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 28074341026 -n agent -D /tmp/agent-28074341026

# Create a new branch
git checkout -b ci-scan-feedback/hard-rule-10-early-exit-2026-06-24-8057217b49742a43

# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-28074341026/aw-ci-scan-feedback-hard-rule-10-early-exit-2026-06-24.patch

# Push the branch to origin
git push origin ci-scan-feedback/hard-rule-10-early-exit-2026-06-24-8057217b49742a43

# Create the pull request
gh pr create --title '[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build' --base main --head ci-scan-feedback/hard-rule-10-early-exit-2026-06-24-8057217b49742a43 --repo dotnet/machinelearning

Show patch preview (58 of 58 lines)

From c9591c9f9b38a64635d6a587e5d40a89a616f0df Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 04:11:55 +0000
Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable
 build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

9 consecutive ci-scan-feedback runs identified that the scanner continues
to Steps 2-7 (AzDO timeline, log download, Helix queries) even after
Step 1 determines there is no scannable build, consuming 2.2–2.4M+
effective tokens on skip-only runs vs ~250K ET when properly halted.

Add Hard Rule 10 which elevates the no-scannable-build exit to the same
hard-constraint level as the issue-cap rule: append the skip reason,
print | 0 | 0 | 0 | 1 |, call noop, and stop — without fetching any
AzDO timeline, downloading any log, or querying any Helix work item.

Also fixes the Step 7 tally honesty: skip-only runs currently emit
| 0 | 0 | 0 | 0 | (wrong) instead of | 0 | 0 | 0 | 1 | (correct).

Update Step 1's trailing sentence to reference Hard Rule 10 directly
instead of restating the skip-reason list inline.

Signal: issues #7627, #7630, #7636, #7637, #7639, #7640, #7641, #7642
(eight prior failed PR push attempts carrying the same proposed edit).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci-scan.agent.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md
index 0937c5f..2fa0c17 100644
--- a/.github/workflows/ci-scan.agent.md
+++ b/.github/workflows/ci-scan.agent.md
@@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar
 7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell.
 8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment const
... (truncated)