Merge branch 'main' into TryCopyTo

Author: prozolic

.CodeQL.yml

@@ -31,3 +31,27 @@ queries:
         # APIs. Those call sites are well-reviewed and don't benefit from extra alerts regarding
         # the possibility of loading malicious code.
         - "cs/deserialization-unexpected-subtypes"
+  #
+  # Don't warn about usage of non-compliant crypto within our own implementations or interop code,
+  # since the rule would noisily try to warn us about *ourselves*. These exclusions are scoped
+  # to just the crypto code itself. We still want alerts when consumers of crypto (even within this
+  # repo) try to use non-compliant primitives; those call sites must be manually inspected
+  # and suppressed if appropriate.
+  #
+  - exclude:
+      queryid:
+        - "cs/ecb-encryption"
+        - "cs/encryption-with-vulnerable-cipher-mode"
+        - "cs/weak-symmetric-algorithm"
+        - "cs/obsolete-password-key-derivation"
+        - "cs/cryptography/unapproved-usage-of-dsa"
+        - "cs/weak-crypto"
+        - "cs/weak-hmacs"
+        - "java/weak-crypto-algorithm-or-hash"
+      path:
+        - "src/libraries/Common/src/Interop/Windows/BCrypt/**"
+        - "src/libraries/Common/src/System/Security/Cryptography/**"
+        - "src/libraries/Microsoft.Bcl.Cryptography/**"
+        - "src/libraries/System.Security.Cryptography/**"
+        - "src/libraries/System.Security.Cryptography.*/**"
+        - "src/native/libs/System.Security.Cryptography.*/**"

.claude/settings.json

@@ -0,0 +1,13 @@
+{
+  "extraKnownMarketplaces": {
+    "dotnet-arcade-skills": {
+      "source": {
+        "source": "github",
+        "repo": "dotnet/arcade-skills"
+      }
+    }
+  },
+  "enabledPlugins": {
+    "dotnet-dnceng@dotnet-arcade-skills": true
+  }
+}

.config/dotnet-tools.json

@@ -15,7 +15,7 @@
       ]
     },
     "microsoft.dotnet.xharness.cli": {
-      "version": "11.0.0-prerelease.26064.3",
+      "version": "11.0.0-prerelease.26279.1",
       "commands": [
         "xharness"
       ]

.devcontainer/Dockerfile

@@ -4,25 +4,8 @@
 ARG VARIANT="8.0-noble"
 FROM mcr.microsoft.com/devcontainers/dotnet:${VARIANT}
 
-# Set up machine requirements to build the repo and the gh CLI
-RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y install --no-install-recommends \
-        clang \
-        cmake \
-        cpio \
-        build-essential \
-        python3 \
-        curl \
-        git \
-        lldb \
-        llvm \
-        liblldb-dev \
-        libunwind8 \
-        libunwind8-dev \
-        gettext \
-        libicu-dev \
-        liblttng-ust-dev \
-        libssl-dev \
-        libkrb5-dev \
-        ninja-build \
-        tzdata
+SHELL [ "/bin/bash", "-c" ]
+
+# Set up machine requirements to build the repo and the gh CLI.
+RUN curl --remote-name-all -sSL https://github.com/dotnet/runtime/raw/main/eng/common/native/{install-dependencies,init-os-and-arch}.sh && \
+  bash install-dependencies.sh && rm {install-dependencies,init-os-and-arch}.sh

.editorconfig

@@ -165,6 +165,10 @@ csharp_space_between_square_brackets = false
 # License header
 file_header_template = Licensed to the .NET Foundation under one or more agreements.\nThe .NET Foundation licenses this file to you under the MIT license.
 
+# xUnit1051: recommends TestContext.Current.CancellationToken (v3 pattern) which
+# is not yet adopted; suppress until a full v3 migration is performed.
+dotnet_diagnostic.xUnit1051.severity = none
+
 [src/libraries/System.Net.Http/src/System/Net/Http/{SocketsHttpHandler/Http3RequestStream.cs,BrowserHttpHandler/BrowserHttpHandler.cs}]
 # disable CA2025, the analyzer throws a NullReferenceException when processing this file: https://github.com/dotnet/roslyn-analyzers/issues/7652
 dotnet_diagnostic.CA2025.severity = none

.git-blame-ignore-revs

@@ -0,0 +1,75 @@
+# Licensed to the .NET Foundation under one or more agreements.
+# The .NET Foundation licenses this file to you under the MIT license.
+
+# This file is consumed by GitHub by default and the git-blame command
+# optionally to make blames ignore uninteresting commits. See docs here:
+# https://docs.github.com/en/repositories/working-with-files/using-files/viewing-and-understanding-files#ignore-commits-in-the-blame-view
+# To configure git-blame to use this file, run:
+#   git config blame.ignoreRevsFile .git-blame-ignore-revs
+
+# These are the commits that trim gc.cpp copies to contain only
+# the functions relevant to each split file. They should be ignored
+# when running git blame.
+
+# region_allocator.cpp
+d49754129145a19ad7aa5a69122e58d09375f4ac
+
+# region_free_list.cpp
+83fa3f4a0493c9c57f44c7cb6e77bb5dfb05ea91
+
+# finalization.cpp
+2ab9d88c8dd2431fc7a09527dd4adb24848a4ece
+
+# interface.cpp
+b91cb52f3b3f23cdb45ac7234a7cab974cbed9af
+
+# allocation.cpp
+d682279be75df3debe5413c5fed486cfdabc3534
+
+# mark_phase.cpp
+6fbf6a2dd6b5c701119368c08276a3ba552b6683
+
+# plan_phase.cpp
+1b46271bd978040090987df603c062a715f0af65
+
+# relocate_compact.cpp
+35d6f5a8e0323294d7b9ff4bea3c4213a3db2ccb
+
+# sweep.cpp
+43fc659bc9145cab1a4a73aae73ac853bc330256
+
+# background.cpp
+81e8f3b4f28894173c6cd3a3a76c4e7f856e8a66
+
+# regions_segments.cpp
+ba70358a247a319a5e2895fde84b2579172f3d2b
+
+# card_table.cpp
+42f56409dc3c7f2443d28230e3e17c50df9d5629
+
+# memory.cpp
+7aa69f096ff5b56e3669b0fe344b85b04426a52e
+
+# diagnostics.cpp
+7932b9d8847f277d1fdfe0375a71c35c0a6969f3
+
+# dynamic_tuning.cpp
+cdc50607148e41906aafb60e2aeb6aa392d1a249
+
+# no_gc.cpp
+2f4ec5f3f7ec88320804b5cabfb8fce5088b4dbd
+
+# dynamic_heap_count.cpp
+b22c2d115c34e36fa5711caae405e8ee1292d167
+
+# init.cpp
+29123fc5becb2b883b9a335392bf8f1fa709b3e9
+
+# collect.cpp
+b5a1146dcfd341e93178530625503dd4fdff5126
+
+# gc.cpp - trim to core infrastructure
+b3e810d361b0652e4caa9476b88cb66f4ed1eed2
+
+# Prepare: rename gc.cpp to gc_full.cpp
+2fdb93ffc36e8c55b713b017e566deae4438938b

.gitattributes

@@ -82,3 +82,5 @@ src/tests/JIT/Performance/CodeQuality/BenchmarksGame/k-nucleotide/knucleotide-in
 src/tests/JIT/Performance/CodeQuality/BenchmarksGame/k-nucleotide/knucleotide-input-big.txt text eol=lf
 src/mono/browser/runtime/dotnet.d.ts text eol=lf
 src/native/libs/Common/JavaScript/loader/dotnet.d.ts text eol=lf
+
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/agents/agentic-workflows.agent.md

@@ -0,0 +1,217 @@
+---
+name: agentic-workflows
+description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
+disable-model-invocation: true
+---
+
+# GitHub Agentic Workflows Agent
+
+This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
+
+## What This Agent Does
+
+This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
+
+- **Creating new workflows**: Routes to `create` prompt
+- **Updating existing workflows**: Routes to `update` prompt
+- **Debugging workflows**: Routes to `debug` prompt  
+- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
+- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments
+- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
+- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
+- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
+- **CLI commands and triggering workflows**: Routes to `cli-commands` guide — consult this whenever the user asks how to run, compile, debug, or manage workflows from the command line, or when they need the MCP tool equivalent of a `gh aw` command
+
+Workflows may optionally include:
+
+- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
+- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
+
+## Files This Applies To
+
+- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
+- Workflow lock files: `.github/workflows/*.lock.yml`
+- Shared components: `.github/workflows/shared/*.md`
+- Configuration: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/github-agentic-workflows.md
+
+## Problems This Solves
+
+- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
+- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
+- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
+- **Component Design**: Create reusable shared workflow components that wrap MCP servers
+
+## How to Use
+
+When you interact with this agent, it will:
+
+1. **Understand your intent** - Determine what kind of task you're trying to accomplish
+2. **Route to the right prompt** - Load the specialized prompt file for your task
+3. **Execute the task** - Follow the detailed instructions in the loaded prompt
+
+## Available Prompts
+
+### Create New Workflow
+**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/create-agentic-workflow.md
+
+**Use cases**:
+- "Create a workflow that triages issues"
+- "I need a workflow to label pull requests"
+- "Design a weekly research automation"
+
+### Update Existing Workflow  
+**Load when**: User wants to modify, improve, or refactor an existing workflow
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/update-agentic-workflow.md
+
+**Use cases**:
+- "Add web-fetch tool to the issue-classifier workflow"
+- "Update the PR reviewer to use discussions instead of issues"
+- "Improve the prompt for the weekly-research workflow"
+
+### Debug Workflow  
+**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/debug-agentic-workflow.md
+
+**Use cases**:
+- "Why is this workflow failing?"
+- "Analyze the logs for workflow X"
+- "Investigate missing tool calls in run #12345"
+
+### Upgrade Agentic Workflows
+**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/upgrade-agentic-workflows.md
+
+**Use cases**:
+- "Upgrade all workflows to the latest version"
+- "Fix deprecated fields in workflows"
+- "Apply breaking changes from the new release"
+
+### Create a Report-Generating Workflow
+**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/report.md
+
+**Use cases**:
+- "Create a weekly CI health report"
+- "Post a daily security audit to Discussions"
+- "Add a status update comment to open PRs"
+
+### Create Shared Agentic Workflow
+**Load when**: User wants to create a reusable workflow component or wrap an MCP server
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/create-shared-agentic-workflow.md
+
+**Use cases**:
+- "Create a shared component for Notion integration"
+- "Wrap the Slack MCP server as a reusable component"
+- "Design a shared workflow for database queries"
+
+### Fix Dependabot PRs
+**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/dependabot.md
+
+**Use cases**:
+- "Fix the open Dependabot PRs for npm dependencies"
+- "Bundle and close the Dependabot PRs for workflow dependencies"
+- "Update @playwright/test to fix the Dependabot PR"
+
+### Analyze Test Coverage
+**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/test-coverage.md
+
+**Use cases**:
+- "Create a workflow that comments coverage on PRs"
+- "Analyze coverage trends over time"
+- "Add a coverage gate that blocks PRs below a threshold"
+
+## Instructions
+
+When a user interacts with you:
+
+1. **Identify the task type** from the user's request
+2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+3. **Follow the loaded prompt's instructions** exactly
+4. **If uncertain**, ask clarifying questions to determine the right prompt
+
+## Quick Reference
+
+```bash
+# Initialize repository for agentic workflows
+gh aw init
+
+# Generate the lock file for a workflow
+gh aw compile [workflow-name]
+
+# Debug workflow runs
+gh aw logs [workflow-name]
+gh aw audit <run-id>
+
+# Upgrade workflows
+gh aw fix --write
+gh aw compile --validate
+```
+
+## Key Features of gh-aw
+
+- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
+- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
+- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
+- **Safe Outputs**: Structured communication between AI and GitHub API
+- **Strict Mode**: Security-first validation and sandboxing
+- **Shared Components**: Reusable workflow building blocks
+- **Repo Memory**: Persistent git-backed storage for agents
+- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
+
+## Important Notes
+
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/github-agentic-workflows.md for complete documentation
+- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
+- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
+- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
+- Follow security best practices: minimal permissions, explicit network access, no template injection
+- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns.
+- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.
+- **Triggering runs**: Always use `gh aw run <workflow-name>` to trigger a workflow on demand — not `gh workflow run <file>.lock.yml`. `gh aw run` handles workflow resolution by short name, input parsing and validation, and correct run-tracking for agentic workflows. Use `--ref <branch>` to run on a specific branch.
+- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/cli-commands.md
+- **Repository-specific requirements**: There are multiple sets of repository-specific instructions below that must be respected. They affect workflow authoring, updates, compilation, and reviews.
+
+## Repository-Specific Requirements: Copilot PAT Pool
+
+**⚠️ MANDATORY**: Every agentic workflow in this repository **must** utilize the Copilot PAT Pool as detailed in `.github/workflows/shared/pat_pool.README.md`. This mechanism selects a random Copilot PAT from a numbered pool of secrets to avoid rate-limiting from a single shared PAT.
+
+When **creating** or **updating** an agentic workflow, always include the following frontmatter that integrates the PAT pool. This should be used verbatim when first added.
+
+```yml
+# ###############################################################
+# Override COPILOT_GITHUB_TOKEN with a random PAT from the pool.
+# This stop-gap will be removed when org billing is available.
+# See: .github/workflows/shared/pat_pool.README.md for more info.
+# ###############################################################
+imports:
+  - shared/pat_pool.md
+
+engine:
+  id: copilot
+  env:
+    COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, secrets.COPILOT_GITHUB_TOKEN) }}
+```
+
+When the workflow is being updated by hand, the `engine.env.COPILOT_GITHUB_TOKEN` may be reformatted to use a multi-line YAML string for the expression if desired for improved readability.
+
+If other `engine` properties are customized for the workflow, that customization will need to be added into this same `engine` block and hand-editing can rearrange the PAT pool frontmatter and comment for ideal maintainability.
+
+## Repository-Specific Requirements: Schedule Seed
+
+When compiling agentic workflows in this repository, always supply `--schedule-seed dotnet/runtime` so that scheduled cron triggers are deterministic and consistent across recompilations.
+
+```sh
+gh aw compile --schedule-seed dotnet/runtime
+```
+