Add agentic workflows for code review, triage, and PR/CI grooming

.gitattributes

@@ -6,3 +6,5 @@
 # Force bash scripts to always use lf line endings so that if a repo is accessed
 # in Unix via a file share from Windows, the scripts will work.
 *.sh text eol=lf
+
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/aw/actions-lock.json

@@ -0,0 +1,9 @@
+{
+  "entries": {
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
+    }
+  }
+}

.github/workflows/ci-scan.agent.md

@@ -0,0 +1,83 @@
+---
+description: |
+  Daily. Scans recent CI failures across open PRs, identifies recurring
+  failure signatures, and files Known Build Error issues so future PR
+  CI flags them as ignorable. Read-only on code; never edits.
+
+on:
+  schedule: daily
+  roles: [admin, maintain, write]
+
+if: github.repository == 'dotnet/TorchSharp'
+
+timeout-minutes: 30
+
+permissions: read-all
+
+network:
+  allowed:
+    - defaults
+    - github
+
+tools:
+  github:
+    toolsets: [repos, pull_requests, actions, issues, search]
+  bash: true
+
+safe-outputs:
+  noop:
+    report-as-issue: false
+  create-issue:
+    title-prefix: "[ci-scan] "
+    labels: [build, "Known Build Error", untriaged]
+    max: 3
+  add-comment:
+    target: "*"
+    max: 5
+    hide-older-comments: true
+---
+
+# CI Failure Scanner
+
+Identify recurring CI failures across recent runs and file Known Build Error issues so PR CI can flag them as already-known.
+
+## Hard rules
+
+1. **Read-only on code.** Workflow does not push, rebase, or label PRs.
+2. **A failure is "recurring" if it has hit ≥ 3 distinct PRs in the last 14 days.** Below that bar, do nothing.
+3. **One issue per signature per run.** Before filing, search open issues for the same normalized signature. If found, comment on it with the new occurrences and stop.
+4. **Cap 3 new issues per run.** Force review cadence.
+5. **Never file an issue without a quoted failing log line.** No vague "tests fail sometimes".
+
+## Process
+
+1. List failed workflow runs in the last 14 days: `gh run list --status failure --created '>14d' --json databaseId,name,headBranch,event,conclusion,createdAt --limit 200`.
+2. For each failure, fetch the failing job logs: `gh run view <id> --log-failed`. Cap at 500 lines per job.
+3. Normalize each first-error line (strip paths, timestamps, run IDs, GUIDs).
+4. Group by normalized signature. Count distinct PRs affected per signature.
+5. For each signature with ≥ 3 distinct PRs:
+   - Search for open issues with label `Known Build Error` matching the signature.
+   - If found: comment with new occurrence count, list of recent PRs, latest run link.
+   - If not found and budget allows: file a new issue using the template below.
+6. Stop after 3 new issues.
+
+## Issue template
+
+```
+[ci-scan] <short signature>
+
+**Signature** (normalized):
+`<one line>`
+
+**Failing line** (raw, one example):
+`<one line>`
+
+**Affected PRs in last 14 days** (count: N):
+- #1234 (run: <url>)
+- #1235 (run: <url>)
+...
+
+**Reproducer**: TBD by triage.
+
+🤖 Filed by ci-scan agent.
+```

.github/workflows/code-review.agent.md

@@ -0,0 +1,75 @@
+---
+description: |
+  First-pass review on every PR. Posts one comment with correctness, style,
+  and packaging-impact analysis. Read-only otherwise.
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
+  roles: [admin, maintain, write]
+
+if: |
+  github.repository == 'dotnet/TorchSharp' &&
+  github.event.pull_request.draft == false
+
+timeout-minutes: 15
+
+permissions: read-all
+
+network:
+  allowed:
+    - defaults
+    - github
+
+tools:
+  github:
+    toolsets: [repos, pull_requests, search]
+  web-fetch:
+
+checkout:
+  fetch-depth: 50
+
+safe-outputs:
+  noop:
+    report-as-issue: false
+  add-comment:
+    target: "triggering"
+    max: 1
+    hide-older-comments: true
+---
+
+# Code Review
+
+Review PR #${{ github.event.pull_request.number }} and post one comment using the format below. Skip drafts.
+
+## Hard rules
+
+1. **Read-only.** No approvals, no labels, no commits.
+2. **One comment per run.** If previous comment is identical, `noop`.
+3. **High signal only.** Do not comment on style, formatting, comment wording, or trivial naming. Only comment on bugs, missing null checks, P/Invoke signature mismatches, memory ownership, thread safety, ABI breaks, and API consistency with the rest of TorchSharp.
+4. **Never claim certainty without proof.** If you suspect a bug, cite the file:line and quote the offending code.
+
+## Scope
+
+- `src/TorchSharp/PInvoke/**`: verify P/Invoke signatures (parameter types, calling conventions, marshaling) match the corresponding declarations in `src/Native/**` headers.
+- `src/Native/**`: verify ABI compatibility (no signature changes to exported functions without bumping the native package version).
+- `src/TorchSharp/**`: API consistency, IDisposable patterns, tensor ownership semantics.
+- `pkg/**`, `Directory.Packages.props`: packaging changes. flag any version bump that crosses a libtorch major.
+- `tests/**`: missing assertions, missing cleanup of GPU resources.
+
+## Output format
+
+```
+🤖 Code Review
+
+### Critical
+- file.cs:42. <one-line bug description with quoted code>
+
+### Suggestions
+- file.cs:88. <one-line non-blocking observation>
+
+### Verdict
+<one of: looks good / changes requested / needs author response>
+```
+
+If no critical findings and fewer than 2 suggestions, `noop` instead of posting an empty review.