You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
Copy file name to clipboardExpand all lines: README.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,9 @@
2
2
3
3
> Automated incident detection and remediation with Azure SRE Agent + GitHub Copilot
4
4
5
+
For background and architecture context, see the companion article:
6
+
[Beyond the Alert: Building Self-Healing Pipelines with Azure SRE Agent and GitHub Copilot](https://stochasticcoder.com/2026/04/29/beyond-the-alert-building-self-healing-pipelines-with-azure-sre-agent-and-github-copilot/)
> **Region constraint**: The SRE Agent resource (`Microsoft.App/agents`) is currently available only in `eastus2`, `swedencentral` and `australiaeast`. Set `location` in `terraform.tfvars` accordingly.
@@ -48,7 +48,7 @@ The script runs four phases automatically:
## Step 4 — Configure incident platform and response plan (Azure portal)
82
+
83
+
In the SRE Agent resource, configure inbound incident routing from Azure Monitor:
84
+
85
+
1. Open the SRE Agent resource in the Azure portal
86
+
2. Go to **Builder → Incident Platform**
87
+
3. Select **Azure Monitor** as the incident platform and complete the connection
88
+
4. Go to **Builder → Incident response plans** and create (or customize) a plan for this demo
89
+
5. Set plan filters (for example severity/service/title) and set run mode to **Autonomous** for this demo
90
+
6. Save and enable the plan
91
+
92
+
Azure SRE leverages **Memories**, for resolution, tracking and routing intent (for example: create an Azure DevOps **Issue** and route code-fix work to **GitHub Copilot**). This helps keep behavior consistent across incidents.
93
+
94
+
> You can use the built-in SRE Agent chat to refine investigation and routing behavior **Memories**, then update the response plan configuration based on those results.
95
+
96
+
When incidents match the enabled response plan filters, the agent runs automatically from that incident context.
## Step 5 — Add Azure DevOps as an automated destination
82
108
83
109
After `terraform apply` completes:
84
110
85
111
1. Open the SRE Agent resource in the Azure portal
86
-
2. Go to **Workflows** → add a new workflow
87
-
3. Set the **trigger**: Log Analytics workspace connected to Application Insights — the agent queries exception rates and failure metrics
88
-
4. Set the **destination**: your ADO organization, project, and board; work item type **Issue**
89
-
5. Save — the agent will now create an ADO WorkItem automatically when an anomaly is detected, including the exception type, stack trace, and telemetry deep-links
112
+
2. Go to **Builder → Connectors** and create an **Azure DevOps connector** (org, project, board, auth)
113
+
3. Select the target Azure DevOps project/repository context for this demo
114
+
4. Save — when incidents match the enabled response plan, the agent automatically creates/updates Azure DevOps work items using this connector
## Step 6 — Add GitHub Issues as an automated destination
94
119
95
120
In the same or a parallel workflow in the SRE Agent portal:
96
121
97
-
1. Add a **GitHub** destination
98
-
2. Authenticate and select this repository
99
-
3. Set the assignee to **GitHub Copilot** (the coding agent)
100
-
4. Save — the agent will now open a GitHub Issue with diagnostic context and assign Copilot to resolve it
122
+
1. Go to **Builder → Connectors** and create a **GitHub connector** for this repository
123
+
2. Select this repository in the connector configuration
124
+
3. Save — for each matching incident, the agent automatically opens a GitHub Issue with diagnostic context and assigns GitHub Copilot to complete the fix
> Both the Azure DevOps work item and the GitHub Issue come from the same SRE Agent investigation. Azure DevOps tracks the incident operationally; the GitHub Issue is the work item Copilot acts on.
131
+
101
132
102
-
> Both the ADO WorkItem and the GitHub Issue come from the same SRE Agent investigation. ADO tracks the incident operationally; the GitHub Issue is the work item Copilot acts on.
103
133
104
134
---
105
135
106
-
## Step 6 — Enable branch protection on `main`
136
+
## Step 7 — Enable branch protection on `main`
107
137
108
138
This enforces the human gate — Copilot's fix PR cannot merge without a review.
109
139
110
140
1. Go to **Settings → Branches → Add branch ruleset**
111
141
2. Target: `main`
112
142
3. Enable:
113
143
-**Require a pull request before merging** (1 required approval)
114
-
-**Require status checks to pass** → add `Validate` (from `validate.yml`)
144
+
-**Require status checks to pass** → add the check run from `.github/workflows/validate.yml` (typically `Lint`)
115
145
-**Block force pushes**
116
146
117
147
---
@@ -127,8 +157,10 @@ Copy `infra/terraform.tfvars.example` to `infra/terraform.tfvars` and fill in yo
127
157
|`project_name`| Yes | Used in resource naming |
128
158
|`location`| Yes | Azure region — see region constraint above |
129
159
|`resource_token`| No | Unique suffix; auto-generated if empty |
130
-
|`enable_sre_agent`| No | Defaults to `true`|
131
-
|`sre_agent_access_level`| No |`High` (Reader + Contributor) or `Low` (Reader only) |
160
+
|`enable_sre_agent`| No | Deploy the SRE Agent resource (default: `false`) |
161
+
|`sre_agent_name`| No | Name of the SRE Agent resource (default: `sre-agent`) |
162
+
|`sre_agent_access_level`| No |`High` (Reader + Contributor) or `Low` (Reader only; default: `High`) |
163
+
|`sre_agent_target_resource_groups`| No | Additional resource groups for the agent to monitor |
132
164
133
165
---
134
166
@@ -139,3 +171,15 @@ Copy `infra/terraform.tfvars.example` to `infra/terraform.tfvars` and fill in yo
139
171
```
140
172
141
173
> The Terraform remote state storage account is in a separate resource group (`rg-tfstate-sre`) and is **not** deleted by the above command. Delete it manually when no longer needed.
174
+
175
+
---
176
+
177
+
## Troubleshooting
178
+
179
+
| Symptom | Likely cause | Fix |
180
+
|---------|--------------|-----|
181
+
|`deploy.ps1` fails before Terraform | Not authenticated to the correct subscription | Run `az login`, then rerun with `-Subscription`|
182
+
| GitHub OIDC setup fails on `gh secret set`| GitHub CLI is not authenticated | Run `gh auth login` and retry Step 3 |
183
+
| SRE Agent does not create incidents from alerts | Azure Monitor incident platform or response plan is not enabled | Recheck Step 4 and confirm the response plan is turned on |
184
+
| SRE Agent does not create work items/issues | Azure DevOps/GitHub connector project or repository mapping is not configured correctly | Recheck Steps 5 and 6 and verify connector scope |
185
+
| Branch rule blocks merge unexpectedly | Required check name mismatch | Use the check run generated by `.github/workflows/validate.yml`|
Copy file name to clipboardExpand all lines: docs/walkthrough.md
+16-5Lines changed: 16 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,9 @@
2
2
3
3
Instructions for injecting a failure, generating errors, and observing the self-healing pipeline end to end.
4
4
5
+
This guide is written as a companion reference for the article:
6
+
[Beyond the Alert: Building Self-Healing Pipelines with Azure SRE Agent and GitHub Copilot](https://stochasticcoder.com/2026/04/29/beyond-the-alert-building-self-healing-pipelines-with-azure-sre-agent-and-github-copilot/)
7
+
5
8
---
6
9
7
10
## Step 1 — Inject the bug and generate errors
@@ -10,7 +13,7 @@ Instructions for injecting a failure, generating errors, and observing the self-
10
13
.\tools\Start-SreDemo.ps1
11
14
```
12
15
13
-
This patches a realistic bug into the ordermanagement API, rebuilds and redeploys the container image via ACR, waits for the new revision to become healthy, then fires a burst of 20 orders to flood Application Insights with errors. Direct portal deep-links are printed for every presenter step.
16
+
This patches a realistic bug into the order-management API, rebuilds and redeploys the container image via ACR, waits for the new revision to become healthy, then fires a burst of 20 orders to flood Application Insights with errors. Direct portal deep-links are printed for each validation step.
14
17
15
18
```powershell
16
19
# Inject a specific bug type with a larger load burst
@@ -30,22 +33,30 @@ This patches a realistic bug into the order management API, rebuilds and redeplo
30
33
31
34
> **`-SkipDeploy`** patches the source file and writes `.chaos-state` but skips the ACR build. Commit and push to trigger the GitHub Actions workflow — useful for demonstrating the full CI/CD path.
32
35
36
+
Typical timeline after load starts:
37
+
38
+
- Application Insights failures appear in about 1-2 minutes
39
+
- SRE Agent investigation and ticketing usually follow shortly after
40
+
- Copilot PR timing depends on repository activity and queue depth
41
+
33
42
---
34
43
35
-
## Step 2 — Walkthrough
44
+
## Step 2 — Verify the closed-loop flow
45
+
46
+
Use this sequence to verify that each stage of the closed-loop flow is working correctly.
0 commit comments