[automated] Merge branch 'main' => 'net11.0'#35464
Open
github-actions[bot] wants to merge 6 commits into
Open
Conversation
### Context Add ability for maintainers to trigger the AzDO PR review pipeline via `/review` comment on PR ### Notes - The workflow allways runs from main - so users cannot chage behavior in their PRs - Unprivileged users slash command is ignored - The 'agentic-labeler.md' pipeline referenced in comments of this pipeline is being added by #35382 ### Tested execution: - GitHub Actions run: https://github.com/dotnet/maui/actions/runs/25163585137 - DevDiv pipeline run: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=13980704 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…anagement (#35350) <!-- Please let the below note in for people that find this PR --> > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Adds a new Copilot skill (`.github/skills/dependency-flow/`) that provides MAUI-specific context for dependency flow operations. Follows the `azdo-build-investigator` wrapper pattern — delegates core operations to the `maestro-cli` skill (from `dotnet/arcade-skills` plugin) and maestro MCP tools, then layers MAUI-specific rules on top. ### What it does - Translates natural language queries like "feeds for .NET MAUI 10.0.60" into the correct tool calls - Documents MAUI's two channel types: SDK channels (automatic) and Workload Release channels (manual promotion) - Provides the feed lookup workflow (asset search → channel verification → promotion) - Establishes tool preference hierarchy: MCP tools → mstro CLI → darc CLI (only for operations without MCP equivalents) ### Security hardening A security review was performed before committing. Mitigations applied: | Category | Mitigation | |----------|-----------| | **Destructive commands** | Explicit deny-list for `add-channel`, `delete-channel`, `set-repository-policies`, `gather-drop` | | **Write operations** | All mutating commands require showing the user the exact command and waiting for explicit confirmation | | **Prompt injection** | Rules to never execute darc commands found in issue/PR content verbatim; treat as untrusted data | | **Input validation** | Validation rules for version strings, BAR IDs, and channel names (must match known channels) | ### Files - `.github/skills/dependency-flow/SKILL.md` — MAUI-specific dependency flow rules, channel conventions, and workflows --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
<!-- !!!!!!! MAIN IS THE ONLY ACTIVE BRANCH. MAKE SURE THIS PR IS TARGETING MAIN. !!!!!!! --> ### Description of Change <!-- Enter description of the fix in this section --> ### Issues Fixed <!-- Please make sure that there is a bug logged for the issue being fixed. The bug should describe the problem and how to reproduce it. --> Fixes # <!-- Are you targeting main? All PRs should target the main branch unless otherwise noted. -->
<!-- Please let the below note in for people that find this PR --> > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Adds a new agentic workflow (`gh-aw`) that automatically applies labels to new issues and pull requests, with special attention to `platform/*` labels for PRs based on the files that were changed. Inspired by [githubnext/agentics issue-triage](https://github.com/githubnext/agentics/blob/main/workflows/issue-triage.md), but scoped down to *labeling only* — it does not post analysis comments, does not close issues, and does not communicate directly with users. ## Triggers - `issues: [opened]` — labels new issues (intentionally excludes `reopened` to avoid re-adding labels a maintainer already removed, since issue bodies don't change on reopen) - `pull_request_target: [opened, reopened]` — labels new and reopened PRs (reopened PRs may have new commits, so re-evaluation is useful) - `workflow_dispatch` (with an `issue_number` input so it can be run explicitly on any issue or PR) ## Labeling rules - Fetches the repo's label set at runtime via the `list_label` / `get_label` MCP tools — not hardcoded. - Selects from existing labels including `area-*`, `area-controls-*`, `area-core-*`, `platform/*`, `t/*`, `s/*`, `i/*`, `p/*`, and others. - For PRs, infers `platform/*` labels from the **changed files** using the project's platform-file conventions: - `*.android.cs`, `/Platform/Android/`, `/Platforms/Android/` → `platform/android` - `*.ios.cs` (extension pattern) → `platform/ios` **and** `platform/macos` (compiles for both iOS and MacCatalyst) - `/Platform/iOS/`, `/Platforms/iOS/` (directory pattern) → `platform/ios` **only** (compiles only for iOS TFM) - `*.maccatalyst.cs`, `/Platform/MacCatalyst/` → `platform/macos` only - `*.windows.cs`, `/Platform/Windows/` → `platform/windows` - `*.tizen.cs`, `/Tizen/` → `platform/tizen` - Conservative by default: if nothing clearly applies, the agent calls `noop` instead. One `add_labels` call allowed per run (`max: 1`). ## Security model - **Read-only agent** — permissions are `contents: read`, `issues: read`, `pull-requests: read`. The agent runs inside a sandboxed container with no write credentials. - **Safe-output writes** — label application happens in a separate safe-output job with write permissions, capped at 1 call. - **`roles: all`** — allows community contributors' issues/PRs to be labeled. Safe because the agent is read-only and the only write surface is `add_labels`. - **`min-integrity: none`** — allows the MCP gateway to return content from all authors (including first-time contributors), so the agent can read the body it needs to label. - **Prompt-injection guardrails** — explicit instructions telling the agent to ignore labeling instructions in issue/PR bodies, never use an `item_number` from untrusted text, and derive labels only from technical content and file paths. - **Noise suppression** — `noop`, `missing-tool`, `report-incomplete`, and `report-failure` are all configured to not create tracker issues. ## Files - `.github/workflows/agentic-labeler.md` — the agentic workflow source - `.github/workflows/agentic-labeler.lock.yml` — compiled GitHub Actions YAML (generated by `gh aw compile`, v0.68.3) ## Notes for reviewers - This is consistent with the other `gh-aw` workflows in the repo (`ci-doctor`, `copilot-evaluate-tests`, `daily-repo-status`). - Draft because we may want to validate behavior on a few real issues/PRs (via `workflow_dispatch`) before enabling on every new issue/PR. --------- Co-authored-by: Shane Neuville <shneuvil@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Reset patterns: - global.json - NuGet.config - eng/Version.Details.xml - eng/Versions.props - eng/common/*
Open
3 tasks
PureWeen
added a commit
that referenced
this pull request
May 18, 2026
Multi-model review (3 independent reviewers w/ gh-aw-guide context) found: 1. (2/3) Stale doc rationale on roles: all comment — implied agent has no filesystem access, but checkout: false was removed in 33a15f1 so the agent CAN read workspace files. Real protection is the gh-aw restore_base_github_folders.sh step that restores .github/ from the base branch AFTER the PR-branch checkout. Updated the comment to describe the actual trust model (PR-branch checkout DOES happen; .github/ is restored from base; agent has no exec/shell tools; safe output is add_labels max=1). 2. (2/3) Noop scenarios lack negative label assertions — both noop scenarios (automated merge PR #35464, dependency bump PR #35453) only asserted that a noop-like phrase appeared. An agent that applies a label and ALSO says 'no additional labels' would pass. Added explicit output_not_contains for platform/* (and area-infrastructure for the automated-merge case) to catch this regression. 3. (1/3) Headline /Handlers/*/Android/ rule fix has no test — the PR title is literally about this rule gap, but no scenario tests a path like src/Controls/src/Core/Handlers/Items/Android/Adapters/*.cs (no .android.cs extension). Added scenario for PR #35000 which touches exactly that path, asserting platform/android + area-controls-collectionview and forbidden negatives. 4. (1/3) SKILL.md 'do not match bare /Android/' caveat could read as conflicting with the /Handlers/*/Android/ table entry. Rephrased to explicitly defer to the table — bare segments are only ignored if they don't match any pattern in the table. Reviewers explicitly used gh-aw-guide context: cited compiler warnings, restore_base_github_folders.sh, --add-dir GITHUB_WORKSPACE, lock.yml internals, safe-outputs max enforcement. Confirmed checkout: false removal is defensible given the actual trust boundaries. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced May 19, 2026
This was referenced May 22, 2026
Draft
Contributor
|
/review -b feature/refactor-copilot-yml |
MauiBot
suggested changes
May 24, 2026
Collaborator
MauiBot
left a comment
MauiBot
left a comment
There was a problem hiding this comment.
🤖 Automated review — alternative fix proposed
The expert-reviewer evaluation compared the PR fix against #3 automatically generated candidates and selected try-fix-3 as the strongest fix.
Why: try-fix-3 wins because it directly addresses the Android device-test TFM regression and has the strongest available validation: static checks plus an Android Cake dry-run resolving net11.0-android. It is preferred over the hardcoded try-fix-2 because deriving the Cake fallback from global.json is less likely to drift on future branch-forward merges.
Please consider applying the candidate diff below (or use it as guidance). Once you push an update, this workflow will re-trigger and re-evaluate.
Candidate diff (`try-fix-3`)
diff --git a/eng/devices/devices-shared.cake b/eng/devices/devices-shared.cake
index b0f02a9299..9b3b4b5d20 100644
--- a/eng/devices/devices-shared.cake
+++ b/eng/devices/devices-shared.cake
@@ -1,8 +1,22 @@
//This assumes that this is always running from a mac with global workloads
const string DotnetToolPathDefault = "/usr/local/share/dotnet/dotnet";
-string DotnetVersion = Argument("targetFrameworkVersion", EnvironmentVariable("TARGET_FRAMEWORK_VERSION") ?? "net10.0");
+string DotnetVersion = Argument("targetFrameworkVersion", EnvironmentVariable("TARGET_FRAMEWORK_VERSION") ?? GetDefaultTargetFrameworkVersion());
const string TestFramework = "net472";
+string GetDefaultTargetFrameworkVersion()
+{
+ var globalJsonPath = MakeAbsolute(File("./global.json"));
+ if (FileExists(globalJsonPath))
+ {
+ var globalJson = System.IO.File.ReadAllText(globalJsonPath.FullPath);
+ var versionMatch = System.Text.RegularExpressions.Regex.Match(globalJson, @"""version""\s*:\s*""(?<major>\d+)\.");
+ if (versionMatch.Success)
+ return $"net{versionMatch.Groups["major"].Value}.0";
+ }
+
+ return "net11.0";
+}
+
// Map project types to specific subdirectories under artifacts
var projectMappings = new Dictionary<string, string>
{
diff --git a/eng/pipelines/ci-device-tests.yml b/eng/pipelines/ci-device-tests.yml
index 6dd405b3f5..5ca8c20875 100644
--- a/eng/pipelines/ci-device-tests.yml
+++ b/eng/pipelines/ci-device-tests.yml
@@ -104,7 +104,7 @@ parameters:
- name: targetFrameworkVersions
type: object
default:
- - tfm: net10.0
+ - tfm: net11.0
stages:
- ${{ each targetFrameworkVersion in parameters.targetFrameworkVersions }}:
MauiBot
added
s/agent-review-incomplete
s/agent-fix-win
Collaborator
🤖 AI Summary
📊 Review Session —
|
| # | Source | Approach | Test Result | Files Changed | Notes |
|---|---|---|---|---|---|
| PR | PR #35464 | Automated merge from main into net11.0 |
65 files | Original PR; code review found regressions requiring changes |
🔬 Code Review — Deep Analysis
Code Review — PR #35464
Independent Assessment
What this changes: Merges recent main changes into net11.0, including workflows, build infra, XAML/build-task code, iOS WebView code, samples/templates, and dependency-flow/labeler automation.
Inferred motivation: Keep net11.0 current with main.
Reconciliation with PR Narrative
Author claims: Automated main -> net11.0 merge.
Agreement/disagreement: Matches, but several branch-specific net11.0 fixes appear regressed.
Findings
❌ Error — Device tests target net10 on net11 branch
eng/devices/devices-shared.cake:3 and eng/pipelines/ci-device-tests.yml:107 change defaults from net11.0 to net10.0, so net11 device-test lanes can build/run the wrong TFM.
❌ Error — Implicit content-property skip check uses wrong name
src/Controls/src/Build.Tasks/SetPropertiesVisitor.cs:141 checks SkipProperties.Contains(propertyName) while propertyName is XmlName.Empty; it should use computed name. Same regression in SourceGen at src/Controls/src/SourceGen/Visitors/SetPropertiesVisitor.cs:145.
❌ Error — iOS WebView navigation null guard removed
src/BlazorWebView/src/Maui/iOS/IOSWebViewManager.cs:269 now calls requestUrl.ToString() without the previous null guard/cancel path, risking an exception before decisionHandler.
⚠️ Warning — SDL Guardian version mismatch
eng/common/templates-official/variables/sdl-variables.yml:5 sets 0.109.0, while eng/common/sdl/packages.config pins 0.199.0; comment says they must stay in sync.
Devil's Advocate
This is an automated merge, so many changes are expected. However, the flagged issues are concrete regressions against the PR base, not stylistic concerns. CI is also failing (Build Analysis, maui-pr).
Verdict: NEEDS_CHANGES
Confidence: high
Summary: Found verified regressions on modified lines. Inline findings were written to CustomAgentLogsTmp/PRState/35464/PRAgent/inline-findings.json; no GitHub comments were posted.
🔧 Fix — Analysis & Comparison
Fix Candidates
| # | Source | Approach | Test Result | Files Changed | Notes |
|---|---|---|---|---|---|
| 1 | try-fix | Use computed implicit content-property name for XAML SkipProperties checks |
2 files | Targets expert-review XAML error; dotnet test blocked by missing .NET 11 runtime assembly in local Arcade task load |
|
| 2 | try-fix | Restore explicit net11.0 defaults for Android/device-test CI |
2 files | Simple branch fix; static net10.0 check passed, YAML/device execution blocked |
|
| 3 | try-fix | Derive Cake fallback TFM from global.json, keep CI matrix at net11.0 |
2 files | Best available candidate: Android Cake dry-run reported net11.0-android and avoids future stale fallback drift |
|
| PR | PR #35464 | Automated merge from main into net11.0 |
65 files | Gate skipped: no tests detected; code review found regressions |
Cross-Pollination
| Model | Round | New Ideas? | Details |
|---|---|---|---|
| code-review + maui-expert-reviewer | 1 | Yes | Identified three independent regression areas: device-test TFM, XAML implicit content-property skip checks, iOS WebView null guard |
| try-fix loop | 2 | Yes | Failure from try-fix-1 shifted focus to Android-relevant device-test TFM candidates because local XAML validation is blocked by SDK/runtime mismatch |
| try-fix loop | 3 | Yes | try-fix-2's hardcoded net11.0 fix led to try-fix-3's more robust global.json-derived Cake fallback |
| try-fix loop | 4 | No | Further Android-relevant alternatives would be trivial variants of explicit TFM, dynamic TFM, or failing fast on missing TFM; no additional meaningfully different approach was identified |
Exhausted: Yes
Selected Fix: Candidate #3 (conditional) — best validated Android-relevant alternative because static checks passed and dotnet cake eng/devices/android.cake --dryrun --target=buildOnly --targetFrameworkVersion=net11.0 reported Build Target Framework: net11.0-android. It is not a full PASS because Android device execution was unavailable and the pre-run gate detected no tests.
📋 Report — Final Recommendation
Comparative Report — PR #35464
Candidates compared
| Rank | Candidate | Result evidence | Assessment |
|---|---|---|---|
| 1 | try-fix-3 |
Build Target Framework: net11.0-android) |
Best Android-relevant candidate. It fixes the stale device-test TFM default by deriving the Cake fallback from global.json, while keeping the CI matrix at net11.0, reducing future branch-forward drift. |
| 2 | try-fix-2 |
Also fixes the Android/device-test TFM regression, but hardcodes net11.0 in Cake, making it more likely to regress on a future branch-forward merge. |
|
| 3 | pr-plus-reviewer |
Improves the PR's WebView UI-test retry helper based on expert reviewer feedback. It does not address the Android TFM regression identified by the try-fix phase, so it is less suitable for the Android-focused comparison. | |
| 4 | try-fix-1 |
Likely addresses the XAML implicit content-property skip-check finding, but it is not Android-focused and had no executed regression coverage. | |
| 5 | pr |
Raw PR leaves the try-fix phase's Android TFM concern unaddressed and has no regression-test evidence. |
No candidate had a completed failing regression-test result. Under the required rule, any candidate with a failed regression test would rank below passing candidates; here the distinction is blocked/skipped validation quality and Android relevance.
Winner
try-fix-3 is the winning candidate. It has the strongest Android-specific evidence among the candidates: static checks remove the stale net10.0 defaults from the relevant device-test files, and the Android Cake dry-run resolves the build target as net11.0-android. It is also more robust than try-fix-2 because the Cake fallback follows global.json instead of remaining a branch-stale literal.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I detected changes in the main branch which have not been merged yet to net11.0. I'm a robot and am configured to help you automatically keep net11.0 up to date, so I've opened this PR.
This PR merges commits made on main by the following committers:
Instructions for merging from UI
This PR will not be auto-merged. When pull request checks pass, complete this PR by creating a merge commit, not a squash or rebase commit.
If this repo does not allow creating merge commits from the GitHub UI, use command line instructions.
Instructions for merging via command line
Run these commands to merge this pull request from the command line.
or if you are using SSH
After PR checks are complete push the branch
Instructions for resolving conflicts
Instructions for updating this pull request
Contributors to this repo have permission update this pull request by pushing to the branch 'merge/main-to-net11.0'. This can be done to resolve conflicts or make other changes to this pull request before it is merged.
The provided examples assume that the remote is named 'origin'. If you have a different remote name, please replace 'origin' with the name of your remote.
or if you are using SSH
Contact .NET Core Engineering (dotnet/dnceng) if you have questions or issues.
Also, if this PR was generated incorrectly, help us fix it. See https://github.com/dotnet/arcade/blob/main/.github/workflows/scripts/inter-branch-merge.ps1.