Tracking: CI improvements

[radical]

Goal

Track in-flight and planned CI improvements for the repo — pipeline performance, test-pipeline unification, build/publish validation, workflow security, and a sub-track of agentic automation to reduce manual CI monitoring.

Pipeline performance

• perf(ci): cut microsoft-aspire pipeline wall-clock from 121min to ~57min #17760 — cut the microsoft-aspire pipeline wall-clock from ~121 min to ~57 min
• Port conditional test selection changes to main #15742 — port conditional test selection to main (currently NO-MERGE)

Test pipeline unification

• Unify quarantine and outerloop CI with the main test pipeline #16448 — unify quarantine + outerloop CI with the main test pipeline (extract run-tests-core.yml)

Build & publish validation

• Validate published Aspire CLI builds end-to-end from AzDO + GH #17532 — validate published Aspire CLI builds end-to-end from AzDO + GH

Workflow security

• Add zizmor GitHub Actions security analysis workflow #15987 — add zizmor GitHub Actions security analysis workflow

PR testing / infra

• Improve pr-testing to handle and test infra changes (branch ankj/pr-testing-infra-skill, not yet pushed)

Agentic CI automation

Reduce hand-monitoring of CI: agents spot, analyze, file issues, and open PRs for humans to review/approve, then validate their own work. Builds on the repo's existing gh-aw setup and CI plumbing.

Failure visibility / monitoring

• ci(notify): file/update ci-broken GitHub issue when internal AzDO build breaks on main/release/* #17920 — file/update a ci-broken issue when the internal AzDO build breaks on main/release/*
• Monitoring workflow to open issues for failing GH workflows (branch ankj/workflow-failure-issues, not yet pushed) — adapt gh-aw ci-doctor + aw-failure-investigator; dedup; consumes AzDO-filed issues too

Quarantine automation

• gh-aw quarantine tracker + auto-(un)quarantine — track quarantined-test runs, update per-test issues with per-OS pass/fail history, open human-approved quarantine/unquarantine PRs. Implements the "separate process" described in docs/unquarantine-policy.md (relates to [tests] Quarantined tests dashboard #8813)

CI health

• gh-aw CI-health report — scheduled report (pinned-issue, repo-pulse pattern)
• gh-aw CI-health remediation — act on CI-health signals (split slow test projects; add recurring flaky/network signatures to auto-rerun patterns)

Guardrails for the agentic items: confidence thresholds before acting; keep rolling pass-rate even when a rerun recovers; quarantine budget + enforced de-quarantine; cost/recursion caps; global /agent-stop; every code or quarantine mutation goes through a human-approved PR.