[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build

[github-actions]

Triggering signals

• (issues #7627, #7630, #7636, #7637, #7639, #7640, #7641, #7642, #7643 — rubric finding: nine prior ci-scan-feedback runs filed this same proposed edit as fallback issues instead of PRs because git push to origin kept failing; this is the 10th attempt)
• Rubric finding: of 67 ci-scan runs since window-start (2026-06-08T13:53:53Z), the recurring skip reason is stale build window (>14d) / no follow-up build yet, defer to next run. Runs hitting these conditions consumed 2.2–2.4M+ effective tokens before concluding with noop — approximately 10× the ~250K ET of a correctly-halting Step 1 exit.
• Rubric finding (tally honesty): skip-only runs emit | 0 | 0 | 0 | 0 | (wrong) instead of | 0 | 0 | 0 | 1 | (correct). Hard Rule 10 fixes this by mandating a skipped-with-reason=1 tally on every skip-only run.

Proposed edits

• .github/workflows/ci-scan.agent.md (Hard Rules section, after rule 9): Add Hard Rule 10 that names exact forbidden operations (AzDO timeline fetch, log download, Helix query) and mandates the literal tally row | 0 | 0 | 0 | 1 | — tied to the signal above (nine prior failed attempts + ~10× token variance).
• .github/workflows/ci-scan.agent.md (Step 1 trailing sentence): Replace the inline restatement of the three skip reasons with a single reference to Hard Rule 10 so the constraint is stated once, authoritatively — eliminates the ambiguity that let previous scanner runs continue past the skip condition.

Expected behavior change

On any run where Step 1 yields a selection-time skip (no follow-up build yet, defer to next run, stale build window (>14d), or no failed build in 7d), the scanner will append the reason to the coverage file, print | 0 | 0 | 0 | 1 |, call noop, and stop immediately — without fetching any AzDO timeline, downloading any task log, or querying any Helix work item. This eliminates the observed ~10× token variance between correct low-ET runs (~250K ET) and high-ET runs (2.2–2.4M+ ET) on identical pipeline state, and ensures the tally row correctly shows skipped-with-reason=1 on skip-only runs.

Generated by CI Failure Scanner - Feedback (machinelearning) · ● 6.1M · ◷

---

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 28146069117 -n agent -D /tmp/agent-28146069117

# Create a new branch
git checkout -b ci-scan-feedback/hard-rule-10-early-exit-2026-06-25-f983f0de80cc2582

# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-28146069117/aw-ci-scan-feedback-hard-rule-10-early-exit-2026-06-25.patch

# Push the branch to origin
git push origin ci-scan-feedback/hard-rule-10-early-exit-2026-06-25-f983f0de80cc2582

# Create the pull request
gh pr create --title '[ci-scan-feedback] ci-scan: add Hard Rule 10 to force early exit on no scannable build' --base main --head ci-scan-feedback/hard-rule-10-early-exit-2026-06-25-f983f0de80cc2582 --repo dotnet/machinelearning

Show patch preview (58 of 58 lines)

From 6cb381741cfa78efcb2b664d96901c00a2f4ec44 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 04:14:32 +0000
Subject: [PATCH] ci-scan: add Hard Rule 10 to force early exit on no scannable
 build

10 consecutive ci-scan-feedback runs identified that the scanner
continues to Steps 2-7 (AzDO timeline, log download, Helix queries)
even after Step 1 determines there is no scannable build, consuming
2.2-2.4M+ effective tokens on skip-only runs vs ~250K ET when properly
halted.

Add Hard Rule 10 which elevates the no-scannable-build exit to the
same hard-constraint level as the issue-cap rule: append the skip
reason to the coverage file, print | 0 | 0 | 0 | 1 |, call noop,
and stop - without fetching any AzDO timeline, downloading any log,
or querying any Helix work item.

Also fixes Step 7 tally honesty: skip-only runs should emit
| 0 | 0 | 0 | 1 | (correct) not | 0 | 0 | 0 | 0 | (wrong).

Update Step 1's trailing sentence to reference Hard Rule 10 directly
instead of restating the skip-reason list inline.

Signal: issues #7627, #7630, #7636, #7637, #7639, #7640, #7641,
#7642, #7643 (nine prior failed PR push attempts carrying the same
proposed edit).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci-scan.agent.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-scan.agent.md b/.github/workflows/ci-scan.agent.md
index 0937c5f..4ba5b16 100644
--- a/.github/workflows/ci-scan.agent.md
+++ b/.github/workflows/ci-scan.agent.md
@@ -78,6 +78,7 @@ These invariants are not delegated to the shared file. Honor them even if a shar
 7. **All state under `/tmp/gh-aw/agent/`;** each bash call is a fresh subshell.
 8. **AzDO REST is anonymous;** stay on `https://dev.azure.com/dnceng-public/public/_apis/build/...`. Follow every rule in [Environment constraints](shared/ci-scan.instructions.md#environment-constraints) (pre-bind UR
... (truncated)