Skip to content

Commit cc00e83

Browse files
lewingCopilot
andcommitted
Add agentic-workflow infrastructure for code review and onboarding
This change adds a code-review surface, test-quality enforcement, self-improving guidance plumbing, and supporting infrastructure for agentic workflows in aspnetcore. Builds on patterns proven in other .NET org repos (runtime, msbuild, maui) and the cross-agent AGENTS.md convention. ## Files added (16 plus PROPOSAL-README.md reviewer notes) ### Cross-cutting infrastructure - .github/workflows/shared/pat_pool.md — shared PAT-pool import used by new agentic workflows (avoids duplicating the case() expression per workflow). - .github/workflows/shared/pat_pool.README.md — operator docs for the PAT pool. - .github/workflows/validate-pat-pool.yml — daily PAT health check that catches expired tokens before they break a real workflow. - .github/AGENTIC-WORKFLOWS.md — one-page rubric for adding new gh-aw workflows (tenets, required structure, references to public reference implementations). ### Code-review surface (Blazor-aware) - .github/workflows/code-review.md — thin dispatcher workflow. On PR open or sync, routes to area-specific reviewer agents in parallel and aggregates findings into a single review submission. - .github/skills/code-review/SKILL.md — routing table + general aspnetcore conventions fallback for areas without a dedicated agent. Follows the skill-as-shim pattern: the skill is for discoverability; the agent is the source of truth for content. - .github/agents/blazor-expert-reviewer.agent.md — 12 principles + 12 review dimensions covering render-mode parity, pre-rendering + PersistentComponentState, trim/AOT safety, disposal contracts, JS interop discipline, public API surface, server-circuit thread safety, accessibility, localization, Razor source generator, and hot-reload determinism. Four-wave review process (Discover → Validate → Post → Summary) with proof-or-disprove validation before posting to minimize false positives. Severity ladder: BLOCKING / MAJOR / MODERATE / MINOR. Inline review comments for diff-line findings via create_pull_request_review_comment; design-level concerns via add_comment. Never APPROVE (the agent must not count as a PR approval). ### Test-contract enforcement - .github/workflows/evaluate-pr-tests.md — slash-command (/evaluate-tests) and workflow_dispatch triggered. Pre-gates deterministically in bash on "no test files in diff = exit early" before the agent activates. - .github/skills/evaluate-pr-tests/SKILL.md — 8-dimension rubric for assessing whether tests added in a PR actually exercise the change. Includes Blazor-specific dimensions for render-mode coverage at the E2E level. Calls out the TestRenderer pattern (shared infra from src/Components/Shared/test/) as the canonical component-unit-test approach. Selenium is the incumbent E2E framework; prefer Playwright for new E2E projects (reference pattern in src/ProjectTemplates/test/Templates.Blazor.Tests/). - .github/skills/verify-tests-fail-without-fix/SKILL.md — reverts the production change in a PR, reruns the new tests, and verifies they fail. Strongest objective signal that a regression test exercises the bug it claims to fix. ### Compatibility & breaking-change discipline - .github/skills/assessing-breaking-changes/SKILL.md — blast-radius checklist, deprecation protocol, decision framework. aspnetcore- specific: API review board (not ChangeWave); render-mode parity as a compat dimension; wire-compat considerations for SignalR / DataProtection / Antiforgery / Authentication / PersistentComponentState; WASM trim-safety + NativeAOT regression checks. The Warnings-as- Errors rule (new warnings break consumers that set <TreatWarningsAsErrors>true</TreatWarningsAsErrors>). ### Self-improving guidance - .github/workflows/learn-from-pr.md — manual dispatch with apply: false (report only) or apply: true (open draft PR with applied guidance updates). allowed-files restricted to .github/. - .github/skills/learn-from-pr/SKILL.md — analysis pass: extract reusable lessons from a completed PR, classify them by destination (general copilot-instructions.md, per-area AGENTS.md, area instructions.md shim, skill enhancement, agent dimension addition), and prioritize High / Medium / Low. - .github/agents/learn-from-pr.agent.md — apply pass: takes the skill's High/Medium recommendations and opens a single draft PR with the matching edits. ### Skill validation - .github/workflows/skill-validation.yml — validates skills and agents on every PR touching .github/skills/** or .github/agents/**. Downloads the skill-validator binary from dotnet/skills releases, caches daily, smart-filters to only validate changed skills. - .github/workflows/skill-validation-comment.yml — workflow_run- triggered companion that posts results as a PR comment. Safe for fork PRs (never checks out PR code). ## Conventions adopted ### Per-area guidance: AGENTS.md is the canonical destination Follows the cross-agent AGENTS.md convention (https://agents.md) already used in this repo at src/Components/AGENTS.md and eng/common/AGENTS.md. Closest-to-the-edited-file wins; works with Copilot, Claude Code, Cursor, Codex, and others. When Copilot needs to auto-load guidance via applyTo: glob, the .github/instructions/<area>.instructions.md shim delegates to the AGENTS.md (the existing aspnetcore pattern). ### Test frameworks - Razor component unit logic uses the TestRenderer pattern from src/Components/Shared/test/, brought in via $(ComponentsSharedSourceRoot)test/**/*.cs. bUnit is not used in aspnetcore source. - Selenium is the incumbent E2E framework for components (src/Components/test/E2ETest/, imports $(SharedSourceRoot)E2ETesting/E2ETesting.props). For new E2E projects or surfaces, prefer Playwright (reference pattern in src/ProjectTemplates/test/Templates.Blazor.Tests/). Don't mix frameworks within an existing Selenium project. - Render-mode parity (Server / WASM / Auto) is proven at the E2E level — TestRenderer is in-process and does not model render modes. ## Not included (intentional) - .lock.yml files for the new workflows — must be regenerated with 'gh aw compile' before push. - Changes to existing workflows (community-pr-issue-check, issue-triage-agent, cswin32-update, browsertesting-deps-update, test-quarantine) — kept stable; augmentation is a separate follow-up. - .github/copilot/settings.json and .github/copilot-instructions.md — kept stable; the learn-from-pr agent will extend the latter over time. - .github/agents/aspnetcore-expert-reviewer.agent.md for non-Blazor areas — left as forward-reference for the maintainer to author. ## See PROPOSAL-README.md for reviewer notes including open questions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 4637df8 commit cc00e83

17 files changed

Lines changed: 2515 additions & 0 deletions

File tree

.github/AGENTIC-WORKFLOWS.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Agentic Workflows in aspnetcore
2+
3+
One-page rubric for anyone adding or reviewing a `.github/workflows/*.md` (gh-aw) workflow in this repo.
4+
5+
## Decision tree: Skill vs Agent vs Workflow
6+
7+
| Form | Lives in | Purpose | Use when |
8+
|---|---|---|---|
9+
| **Skill** | `.github/skills/<name>/SKILL.md` | Codified procedure invokable by humans-with-Copilot AND by workflows | Logic that is reusable, advisory, or composable. **Default choice — start here.** |
10+
| **Agent** | `.github/agents/<name>.agent.md` | Specialized persona auto-loaded by Copilot when its `description:` matches | Domain-specific reviewer/router (e.g., `blazor-expert-reviewer`); autonomous behavior that *applies* changes (e.g., `learn-from-pr`) |
11+
| **Workflow** | `.github/workflows/<name>.md` | Schedule, trigger, or composition | When something must run on a cron, a PR event, or a slash command. Should be **thin** (60–200 lines). All real logic in skills/agents. |
12+
13+
**Rule of thumb**: write a skill first. A workflow is just the dispatch mechanism. An agent is a skill with a persona and the ability to apply changes.
14+
15+
## Tenets (paraphrased from .NET org internal practice — primary source dotnet/vitals, an internal-only reference repo)
16+
17+
The original Field Guide lives in the internal `dotnet/vitals` repository and is not publicly accessible. The tenets below are paraphrased from those internal patterns; they stand on their own as the rubric for new agentic workflows in this repo. Internal Microsoft contributors can consult the source Field Guide directly; external contributors should treat this document as authoritative.
18+
19+
1. **Verify against current gh-aw docs** — gh-aw releases multiple times a day. Patterns learned from assistants, memories, or this file must be cross-checked at <https://gh.io/gh-aw>.
20+
2. **Least privilege on every dimension**`permissions:`, `safe-outputs:`, `network.allowed:`, `tools:`, secrets. Default to minimum; opt in to more only with justification.
21+
3. **Human-in-the-loop for consequential actions** — writes that affect contributors, security-sensitive areas, or release artifacts require a human gate. Bots draft; humans send.
22+
4. **Deterministic by default** — pre-collect data in bash, gate cheaply, hand structured JSON to the agent. Use agents only when input is unstructured or the decision space is open.
23+
5. **Untrusted input goes inside the agent sandbox** — never execute fork-author code in pre- or post-agent steps where secrets are reachable. The agent sandbox is the security boundary.
24+
6. **Eliminate alert fatigue** — no daily "nothing happened" issues, no comments on every PR push. Use `noop: report-as-issue: false`, `hide-older-comments: true`, `max:` caps everywhere.
25+
7. **Pinned dashboard issues over per-event noise** — for periodic monitoring, update one pinned issue; never spawn one issue per finding per day.
26+
8. **Never present bot actions as human actions** — bot is the visible actor; the responsible human is captured separately (co-author trailer, comment metadata).
27+
9. **Resist building a workflow-management platform** — every layer of meta-orchestration on top of gh-aw becomes a product you maintain. Prefer simple compositions.
28+
10. **Document the trigger's executed-to-filtered ratio** — convenience triggers (slash commands, `pull_request: types: [labeled]`) compile to broad subscriptions. Estimate worst-case invocation rate; keep activation cheap.
29+
11. **Filter outside the agent job** — keep skip/branch logic in steps that run before the agent. Refactor agent jobs toward more deterministic pre-steps over time.
30+
31+
## Required structure
32+
33+
Every new agentic workflow MUST have:
34+
35+
-`imports: - shared/pat_pool.md` (don't duplicate the PAT pool `case()` expression per workflow)
36+
-`safe-outputs:` with `max:` caps on every output type
37+
-`noop: report-as-issue: false` (no junk issues for empty runs)
38+
-`if: !(github.event_name == 'schedule' && github.event.repository.fork)` (fork protection)
39+
-`permissions:` set to read-only by default; writes only via `safe-outputs`
40+
- ✅ Frontmatter `description:` that explains exactly when the workflow should fire (this is what `disable-model-invocation: false` agents auto-load on)
41+
42+
## Required tests before merge
43+
44+
For any new agentic workflow PR:
45+
46+
1. **Compile**: run `gh aw compile <workflow-id>` and commit the `.lock.yml` + `.github/aw/actions-lock.json` delta.
47+
2. **Dry-run dispatch**: trigger via `workflow_dispatch` with `dry-run: true` (every workflow must support this) and verify the prompt logs but no side-effects fire.
48+
3. **PAT pool**: ensure `.github/workflows/validate-pat-pool.yml` is present and green in the last 24h.
49+
4. **Tenet review**: re-read the tenets above. Specifically check tenet 2 (least privilege) and tenet 3 (human-in-the-loop).
50+
51+
## See also
52+
53+
- [agents.md](https://agents.md) — the canonical AGENTS.md cross-agent convention (Linux Foundation, 60k+ projects). aspnetcore already uses it for `src/Components/AGENTS.md` and `eng/common/AGENTS.md`.
54+
- [.github/workflows/shared/pat_pool.README.md](workflows/shared/pat_pool.README.md) — PAT pool implementation details (local to this repo)
55+
- [GitHub Agentic Workflows reference](https://gh.io/gh-aw) — primary public reference for gh-aw syntax, security architecture, triggers, and engine configuration.
56+
- The `dotnet/vitals` Field Guide is the internal-only source for many of the patterns referenced in this document. Microsoft contributors with access can consult it directly for design rationale; external contributors should rely on the tenets and required-structure sections above plus the gh-aw public reference.
57+
- Reference implementations to copy (all public):
58+
- **Thin orchestrator → skill** pattern: [dotnet/runtime/.github/workflows/code-review.md](https://github.com/dotnet/runtime/blob/main/.github/workflows/code-review.md)
59+
- **Per-area reviewer agent**: [dotnet/runtime/.github/agents/extensions-reviewer.agent.md](https://github.com/dotnet/runtime/blob/main/.github/agents/extensions-reviewer.agent.md)
60+
- **Skill-as-shim + 4-wave review**: [dotnet/msbuild/.github/agents/expert-reviewer.agent.md](https://github.com/dotnet/msbuild/blob/main/.github/agents/expert-reviewer.agent.md) and [dotnet/msbuild/.github/skills/reviewing-msbuild-code/SKILL.md](https://github.com/dotnet/msbuild/blob/main/.github/skills/reviewing-msbuild-code/SKILL.md)
61+
- **Self-improving instructions**: [dotnet/maui/.github/agents/learn-from-pr.agent.md](https://github.com/dotnet/maui/blob/main/.github/agents/learn-from-pr.agent.md)
62+
- **CI failure scanner with KBE pattern**: [dotnet/runtime/.github/workflows/ci-failure-scan.md](https://github.com/dotnet/runtime/blob/main/.github/workflows/ci-failure-scan.md)
63+
- **Comprehensive root AGENTS.md**: [dotnet/msbuild/AGENTS.md](https://github.com/dotnet/msbuild/blob/main/AGENTS.md)

0 commit comments

Comments
 (0)