Add agentic workflows for code review, CI scan, dependabot auto-merge, and stale issue cleanup

Adds four gh-aw workflows plus one plain finalize workflow:
code-review on every PR, ci-scan periodic, needs-info-sweeper periodic,
and dependabot-auto-merge reviewer + finalizer pair. Agent runs are
read-only; writes are gated through capped, allowlisted safe-outputs.
The finalize job is schedule-only and re-validates every merge condition
before deferring to branch protection via gh pr merge --auto.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kotlarmilos

.github/aw/actions-lock.json

@@ -5,10 +5,10 @@
       "version": "v8",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "github/gh-aw-actions/setup@v0.67.1": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.67.1",
-      "sha": "80471a493be8c528dd27daf73cd644242a7965e0"
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
     },
     "github/gh-aw/actions/setup@v0.58.0": {
       "repo": "github/gh-aw/actions/setup",

.github/workflows/ci-scan.agent.lock.yml

@@ -0,0 +1,83 @@
+---
+description: |
+  Daily. Scans recent CI failures across open PRs, identifies recurring
+  failure signatures, and files Known Build Error issues so future PR
+  CI flags them as ignorable. Read-only on code; never edits.
+
+on:
+  schedule: daily
+  roles: [admin, maintain, write]
+
+if: github.repository == 'dotnet/machinelearning'
+
+timeout-minutes: 30
+
+permissions: read-all
+
+network:
+  allowed:
+    - defaults
+    - github
+
+tools:
+  github:
+    toolsets: [repos, pull_requests, actions, issues, search]
+  bash: true
+
+safe-outputs:
+  noop:
+    report-as-issue: false
+  create-issue:
+    title-prefix: "[ci-scan] "
+    labels: [build, "Known Build Error", untriaged]
+    max: 3
+  add-comment:
+    target: "*"
+    max: 5
+    hide-older-comments: true
+---
+
+# CI Failure Scanner
+
+Identify recurring CI failures across recent runs and file Known Build Error issues so PR CI can flag them as already-known.
+
+## Hard rules
+
+1. **Read-only on code.** Workflow does not push, rebase, or label PRs.
+2. **A failure is "recurring" if it has hit ≥ 3 distinct PRs in the last 14 days.** Below that bar, do nothing.
+3. **One issue per signature per run.** Before filing, search open issues for the same normalized signature (label `Known Build Error`). If found, comment with the new occurrences and stop.
+4. **Cap 3 new issues per run.** Force review cadence.
+5. **Never file an issue without a quoted failing log line.** No vague "tests fail sometimes".
+
+## Process
+
+1. List failed workflow runs in the last 14 days: `gh run list --status failure --created '>14d' --json databaseId,name,headBranch,event,conclusion,createdAt --limit 200`.
+2. For each failure, fetch the failing job logs: `gh run view <id> --log-failed`. Cap at 500 lines per job.
+3. Normalize each first-error line (strip paths, timestamps, run IDs, GUIDs).
+4. Group by normalized signature. Count distinct PRs affected per signature.
+5. For each signature with ≥ 3 distinct PRs:
+   - Search for open issues with label `Known Build Error` matching the signature.
+   - If found: comment with new occurrence count, list of recent PRs, latest run link.
+   - If not found and budget allows: file a new issue using the template below.
+6. Stop after 3 new issues.
+
+## Issue template
+
+```
+[ci-scan] <short signature>
+
+**Signature** (normalized):
+`<one line>`
+
+**Failing line** (raw, one example):
+`<one line>`
+
+**Affected PRs in last 14 days** (count: N):
+- #1234 (run: <url>)
+- #1235 (run: <url>)
+...
+
+**Reproducer**: TBD by triage.
+
+🤖 Filed by ci-scan agent.
+```

.github/workflows/ci-scan.agent.md

@@ -0,0 +1,79 @@
+---
+description: |
+  First-pass review on every PR. Posts one comment with correctness,
+  test coverage, and consistency-with-ML.NET-conventions analysis.
+  Read-only otherwise.
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
+  roles: [admin, maintain, write]
+
+if: |
+  github.repository == 'dotnet/machinelearning' &&
+  github.event.pull_request.draft == false
+
+timeout-minutes: 15
+
+permissions: read-all
+
+network:
+  allowed:
+    - defaults
+    - github
+
+tools:
+  github:
+    toolsets: [repos, pull_requests, search]
+  web-fetch:
+
+checkout:
+  fetch-depth: 50
+
+safe-outputs:
+  noop:
+    report-as-issue: false
+  add-comment:
+    target: "triggering"
+    max: 1
+    hide-older-comments: true
+---
+
+# Code Review
+
+Review PR #${{ github.event.pull_request.number }} and post one comment using the format below. Skip drafts.
+
+## Hard rules
+
+1. **Read-only.** No approvals, no labels, no commits.
+2. **One comment per run.** If previous comment is identical, `noop`.
+3. **High signal only.** Do not comment on style, formatting, or trivial naming. Only comment on bugs, missing null checks, incorrect numerical algorithms, breaking API changes, unmanaged-resource leaks, thread safety, and missing tests for new behavior.
+4. **Never claim certainty without proof.** If you suspect a bug, cite the file:line and quote the offending code.
+
+## Scope
+
+- `src/Microsoft.ML.*/**`: trainers, transforms, data. verify numerical correctness, IDataView contract, missing-value handling.
+- `src/Microsoft.ML.OnnxRuntime/**`, `src/Microsoft.ML.OnnxTransformer/**`: ONNX input/output schema, version compatibility.
+- `src/Microsoft.ML.Tokenizers/**`: encoding round-trips, BPE/WordPiece correctness.
+- `test/**`: missing assertions, missing edge cases (empty input, NaN, large input).
+- Public API changes: any new public type/member should have an `<api type="added" />` annotation in `eng/api-baselines/` or equivalent.
+
+## Output format
+
+```
+🤖 Code Review
+
+### Critical
+- file.cs:42. <one-line bug description with quoted code>
+
+### Suggestions
+- file.cs:88. <one-line non-blocking observation>
+
+### Tests
+- <one line on test coverage of new behavior>
+
+### Verdict
+<one of: looks good / changes requested / needs author response>
+```
+
+If no critical findings, fewer than 2 suggestions, and tests look adequate, `noop` instead of posting an empty review.

.github/workflows/code-review.agent.lock.yml

@@ -0,0 +1,143 @@
+name: Dependabot Auto-Merge. Finalize
+
+on:
+  schedule:
+    - cron: "*/30 * * * *"
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
+concurrency:
+  group: dependabot-auto-merge-finalize
+  cancel-in-progress: false
+
+jobs:
+  finalize:
+    if: github.repository == 'dotnet/machinelearning'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      REPO: ${{ github.repository }}
+      WAIT_HOURS: "4"
+      MAX_ATTEMPTS: "3"
+    steps:
+      - name: Process candidates
+        run: |
+          set -euo pipefail
+
+          mapfile -t prs < <(
+            gh pr list \
+              --repo "$REPO" \
+              --label auto-merge-candidate \
+              --state open \
+              --json number,author,title,mergeable,updatedAt,headRefOid,isDraft \
+              --jq '.[] | select(.isDraft | not) | @json'
+          )
+
+          if [ "${#prs[@]}" -eq 0 ]; then
+            echo "No candidates."
+            exit 0
+          fi
+
+          now=$(date -u +%s)
+
+          for json in "${prs[@]}"; do
+            number=$(jq -r '.number'       <<<"$json")
+            author=$(jq -r '.author.login' <<<"$json")
+            title=$(jq  -r '.title'        <<<"$json")
+            mergeable=$(jq -r '.mergeable' <<<"$json")
+            updated=$(jq -r '.updatedAt'   <<<"$json")
+            sha=$(jq    -r '.headRefOid'   <<<"$json")
+
+            echo "::group::PR #$number"
+
+            case "$author" in
+              dependabot|dependabot[bot]) ;;
+              *) echo "author=$author not dependabot, skipping."; echo "::endgroup::"; continue;;
+            esac
+
+            case "$title" in
+              "Bump "*) ;;
+              *) echo "title not dependabot shape, skipping."; echo "::endgroup::"; continue;;
+            esac
+
+            if [ "$mergeable" != "MERGEABLE" ]; then
+              echo "mergeable=$mergeable, skipping."
+              echo "::endgroup::"
+              continue
+            fi
+
+            checks_json=$(gh pr checks "$number" --repo "$REPO" --required --json name,state,link)
+            failing=$(jq '[.[] | select(.state == "FAILURE" or .state == "CANCELLED")] | length' <<<"$checks_json")
+            pending=$(jq '[.[] | select(.state == "PENDING" or .state == "IN_PROGRESS" or .state == "QUEUED")] | length' <<<"$checks_json")
+
+            if [ "$pending" -gt 0 ] && [ "$failing" -eq 0 ]; then
+              echo "$pending required check(s) still running, will retry next cycle."
+              echo "::endgroup::"
+              continue
+            fi
+
+            if [ "$failing" -gt 0 ]; then
+              mapfile -t failed_runs < <(
+                gh run list \
+                  --repo "$REPO" \
+                  --commit "$sha" \
+                  --status failure \
+                  --limit 50 \
+                  --json databaseId,name,attempt,event \
+                  --jq '.[] | select(.event == "pull_request" or .event == "push") | @json'
+              )
+
+              rerun_count=0
+              giveup=0
+              for run_json in "${failed_runs[@]}"; do
+                run_id=$(jq -r '.databaseId' <<<"$run_json")
+                run_name=$(jq -r '.name'     <<<"$run_json")
+                attempt=$(jq -r '.attempt'   <<<"$run_json")
+
+                if [ "$attempt" -ge "$MAX_ATTEMPTS" ]; then
+                  echo "run $run_id ($run_name): attempt=$attempt >= $MAX_ATTEMPTS, giving up."
+                  giveup=1
+                  continue
+                fi
+
+                echo "run $run_id ($run_name): attempt=$attempt, rerunning failed jobs."
+                if gh run rerun "$run_id" --failed --repo "$REPO"; then
+                  rerun_count=$((rerun_count + 1))
+                else
+                  echo "run $run_id: rerun call failed, treating as giveup."
+                  giveup=1
+                fi
+              done
+
+              if [ "$giveup" -eq 1 ]; then
+                echo "Attempt cap reached. Removing auto-merge-candidate; a human needs to look."
+                gh pr edit "$number" --repo "$REPO" --remove-label auto-merge-candidate
+                gh pr comment "$number" --repo "$REPO" --body \
+                  "🤖 Dependabot auto-merge: required CI is red after $MAX_ATTEMPTS attempts. Removing \`auto-merge-candidate\`. A human needs to triage. Re-add the label after the underlying issue is resolved."
+              elif [ "$rerun_count" -gt 0 ]; then
+                echo "Triggered $rerun_count rerun(s); will re-evaluate next cycle."
+              fi
+              echo "::endgroup::"
+              continue
+            fi
+
+            updated_epoch=$(date -u -d "$updated" +%s 2>/dev/null || date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "$updated" +%s)
+            age_hours=$(( (now - updated_epoch) / 3600 ))
+            if [ "$age_hours" -lt "$WAIT_HOURS" ]; then
+              echo "age ${age_hours}h < ${WAIT_HOURS}h required, skipping."
+              echo "::endgroup::"
+              continue
+            fi
+
+            echo "All gates green and minimum age reached. Merging."
+            gh pr merge "$number" \
+              --repo "$REPO" \
+              --squash \
+              --delete-branch \
+              --auto
+            echo "::endgroup::"
+          done