Add workflow to detect new NETSDK diagnostics in PRs

[Copilot]

Implementation Plan: NETSDK Diagnostic Detection Workflow

✅ All requirements implemented and security feedback addressed

Key Changes (Latest)

• Separated into 3 jobs for minimal permissions:
  • read-diff: Checkout and read git diff (read-only permissions)
  • detect-diagnostics: Parse and detect NETSDK codes (no permissions)
  • apply-label-and-comment: Apply label and post comment (write permissions only)
• Removed temp file usage: Now uses job outputs for passing data between jobs
• Added security measures:
  • Cleared GITHUB_TOKEN and GH_TOKEN in git operations
  • Added 1MB size limit on diff to prevent resource exhaustion
  • Limited permissions per job to minimum required
• Global permissions: Set to read-all with per-job overrides

Summary

✅ Uses git diff -- '*.xlf' for precise file filtering
✅ Safe for fork PRs (pull_request_target + minimal permissions)
✅ Job outputs instead of temp files
✅ Size validation (1MB limit)
✅ Token clearing for security
✅ Separated concerns with appropriate permissions per job

Original prompt

Add a GitHub Actions workflow to dotnet/sdk that detects when a pull request introduces new .NET SDK diagnostic codes (messages prefixed with NETSDK####:) and automatically flags the PR so documentation in dotnet/docs can be updated.

Requirements:

• Repo: dotnet/sdk
• Base branch: main
• Create/apply a new label named sdk-diagnostic-docs-needed when a PR introduces new NETSDK diagnostics.
• Add a PR comment reminding contributors to update the SDK diagnostic docs in dotnet/docs at docs/core/tools/sdk-errors.
• Detection should be safe for PRs from forks; prefer using pull_request_target with minimal permissions and avoid executing untrusted code.
• Detection logic should look at the diff between base and PR head and identify newly-added lines containing NETSDK diagnostic code prefixes (regex like NETSDK[0-9]{4}:).
• If no new diagnostics are found, do nothing.
• Ensure the workflow has necessary permissions to add labels and comment on PRs.

Acceptance criteria:

• Opening a PR that adds a new message containing NETSDK1234: causes the workflow to apply the label sdk-diagnostic-docs-needed and posts (or updates) a reminder comment.
• The workflow does not run arbitrary code from the PR (no dotnet build etc.); it only uses git diff / grep style checks.

Implementation notes:

• If the label does not exist yet, the workflow should create it (using GitHub API) or otherwise fail gracefully with an actionable message. Prefer creating it automatically.
• Use a sticky comment approach (update an existing comment from github-actions bot if already present) to avoid comment spam.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds a GitHub Actions workflow to automatically detect new .NET SDK diagnostic codes (NETSDK####) in pull requests and flag them for documentation updates in the dotnet/docs repository.

Changes:

• Introduces automated detection of new NETSDK diagnostic codes in .xlf translation files
• Applies sdk-diagnostic-docs-needed label when new diagnostics are found
• Posts/updates sticky PR comment reminding contributors to update SDK diagnostic documentation

[baronfel]

@copilot respond to Noah's feedback.

• instead of writing to a temp file, you should be able to use the job outputs feature: https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/pass-job-outputs#defining-and-using-job-outputs
• try to limit the permissions as much as possible:
  • use one step for things that require reading (checking out code, reading git diffs) and limit it to read permissions
  • use another step for computing the new codes, if any - this step shouldn't need any permissions
  • use a final step for writing/updating the reminder comment to the user - this step should be the only one with write permissions

[Copilot]

@copilot respond to Noah's feedback.

• instead of writing to a temp file, you should be able to use the job outputs feature: https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-...

All feedback addressed in commit 0ef8c3e:

• ✅ Switched from temp file to job outputs using multiline string format
• ✅ Split into 3 jobs with minimal permissions per job:
  • Reading step: read-only
  • Computation step: no permissions
  • Writing step: write-only
• ✅ Added size check (1MB limit) and token clearing for security

[baronfel]

@nagilson if you want to take another look, I think most of your feedback has been addressed!