From c4e0b338ba61546a5136f91e5f26234dabcff7bc Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Fri, 29 May 2026 15:33:49 -0700
Subject: [PATCH 1/4] chore: enable dependabot cofig

---
 .github/dependabot.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000000..3c69c1a0cd6
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+
+updates:
+  # Python tooling dependencies — keep pip-installed scripts patched.
+  # `directories` (plural) supports globbing, so new requirements.txt files
+  # under these paths are picked up automatically without editing this file.
+  # `directory` (singular) does NOT support globbing.
+  - package-ecosystem: pip
+    directories:
+      - /.github/workflows/scripts/*
+      - /scripts/*
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - python
+
+  # GitHub Actions used by PR-check workflows.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+    groups:
+      actions:
+        patterns:
+          - "*"

From 146d6f84aca6223df824ba012448df81eb9dcb43 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Fri, 29 May 2026 18:07:24 -0700
Subject: [PATCH 2/4] refactor(ci): move pipeline helper scripts to scripts/ci/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dependabot's pip updater cannot open PRs that modify any file under .github/
(only the github-actions ecosystem is granted that scope), so requirements.txt
under .github/workflows/scripts/ could never be auto-updated. Relocate the
helper-scripts subtree to top-level scripts/ci/ — linted (ruff/pyright scan
scripts/) and writable by Dependabot. Pure rename; reference updates follow.
---
 {.github/workflows/scripts => scripts/ci}/components/README.md    | 0
 .../scripts => scripts/ci}/components/compute_change_set.sh       | 0
 .../scripts => scripts/ci}/components/compute_changed.sh          | 0
 .../scripts => scripts/ci}/components/compute_render_set.py       | 0
 {.github/workflows/scripts => scripts/ci}/control-tower/client.py | 0
 .../scripts => scripts/ci}/control-tower/requirements.txt         | 0
 .../scripts => scripts/ci}/control-tower/run_package_build.py     | 0
 .../workflows/scripts => scripts/ci}/control-tower/run_prcheck.py | 0
 .../scripts => scripts/ci}/control-tower/verify_locks.sh          | 0
 .../scripts => scripts/ci}/locks-check/post_locks_comment.py      | 0
 .../ci}/render-specs-check/check_rendered_specs.py                | 0
 .../ci}/render-specs-check/post_render_comment.py                 | 0
 {.github/workflows/scripts => scripts/ci}/spec-review/README.md   | 0
 {.github/workflows/scripts => scripts/ci}/spec-review/_common.py  | 0
 .../ci}/spec-review/create_check_annotations.py                   | 0
 .../scripts => scripts/ci}/spec-review/format_pr_comment.py       | 0
 .../workflows/scripts => scripts/ci}/spec-review/requirements.txt | 0
 .../workflows/scripts => scripts/ci}/spec-review/spec_review.sh   | 0
 .../scripts => scripts/ci}/spec-review/spec_review_multi.sh       | 0
 .../scripts => scripts/ci}/spec-review/spec_review_schema.py      | 0
 20 files changed, 0 insertions(+), 0 deletions(-)
 rename {.github/workflows/scripts => scripts/ci}/components/README.md (100%)
 rename {.github/workflows/scripts => scripts/ci}/components/compute_change_set.sh (100%)
 rename {.github/workflows/scripts => scripts/ci}/components/compute_changed.sh (100%)
 rename {.github/workflows/scripts => scripts/ci}/components/compute_render_set.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/control-tower/client.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/control-tower/requirements.txt (100%)
 rename {.github/workflows/scripts => scripts/ci}/control-tower/run_package_build.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/control-tower/run_prcheck.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/control-tower/verify_locks.sh (100%)
 rename {.github/workflows/scripts => scripts/ci}/locks-check/post_locks_comment.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/render-specs-check/check_rendered_specs.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/render-specs-check/post_render_comment.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/README.md (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/_common.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/create_check_annotations.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/format_pr_comment.py (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/requirements.txt (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/spec_review.sh (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/spec_review_multi.sh (100%)
 rename {.github/workflows/scripts => scripts/ci}/spec-review/spec_review_schema.py (100%)

diff --git a/.github/workflows/scripts/components/README.md b/scripts/ci/components/README.md
similarity index 100%
rename from .github/workflows/scripts/components/README.md
rename to scripts/ci/components/README.md
diff --git a/.github/workflows/scripts/components/compute_change_set.sh b/scripts/ci/components/compute_change_set.sh
similarity index 100%
rename from .github/workflows/scripts/components/compute_change_set.sh
rename to scripts/ci/components/compute_change_set.sh
diff --git a/.github/workflows/scripts/components/compute_changed.sh b/scripts/ci/components/compute_changed.sh
similarity index 100%
rename from .github/workflows/scripts/components/compute_changed.sh
rename to scripts/ci/components/compute_changed.sh
diff --git a/.github/workflows/scripts/components/compute_render_set.py b/scripts/ci/components/compute_render_set.py
similarity index 100%
rename from .github/workflows/scripts/components/compute_render_set.py
rename to scripts/ci/components/compute_render_set.py
diff --git a/.github/workflows/scripts/control-tower/client.py b/scripts/ci/control-tower/client.py
similarity index 100%
rename from .github/workflows/scripts/control-tower/client.py
rename to scripts/ci/control-tower/client.py
diff --git a/.github/workflows/scripts/control-tower/requirements.txt b/scripts/ci/control-tower/requirements.txt
similarity index 100%
rename from .github/workflows/scripts/control-tower/requirements.txt
rename to scripts/ci/control-tower/requirements.txt
diff --git a/.github/workflows/scripts/control-tower/run_package_build.py b/scripts/ci/control-tower/run_package_build.py
similarity index 100%
rename from .github/workflows/scripts/control-tower/run_package_build.py
rename to scripts/ci/control-tower/run_package_build.py
diff --git a/.github/workflows/scripts/control-tower/run_prcheck.py b/scripts/ci/control-tower/run_prcheck.py
similarity index 100%
rename from .github/workflows/scripts/control-tower/run_prcheck.py
rename to scripts/ci/control-tower/run_prcheck.py
diff --git a/.github/workflows/scripts/control-tower/verify_locks.sh b/scripts/ci/control-tower/verify_locks.sh
similarity index 100%
rename from .github/workflows/scripts/control-tower/verify_locks.sh
rename to scripts/ci/control-tower/verify_locks.sh
diff --git a/.github/workflows/scripts/locks-check/post_locks_comment.py b/scripts/ci/locks-check/post_locks_comment.py
similarity index 100%
rename from .github/workflows/scripts/locks-check/post_locks_comment.py
rename to scripts/ci/locks-check/post_locks_comment.py
diff --git a/.github/workflows/scripts/render-specs-check/check_rendered_specs.py b/scripts/ci/render-specs-check/check_rendered_specs.py
similarity index 100%
rename from .github/workflows/scripts/render-specs-check/check_rendered_specs.py
rename to scripts/ci/render-specs-check/check_rendered_specs.py
diff --git a/.github/workflows/scripts/render-specs-check/post_render_comment.py b/scripts/ci/render-specs-check/post_render_comment.py
similarity index 100%
rename from .github/workflows/scripts/render-specs-check/post_render_comment.py
rename to scripts/ci/render-specs-check/post_render_comment.py
diff --git a/.github/workflows/scripts/spec-review/README.md b/scripts/ci/spec-review/README.md
similarity index 100%
rename from .github/workflows/scripts/spec-review/README.md
rename to scripts/ci/spec-review/README.md
diff --git a/.github/workflows/scripts/spec-review/_common.py b/scripts/ci/spec-review/_common.py
similarity index 100%
rename from .github/workflows/scripts/spec-review/_common.py
rename to scripts/ci/spec-review/_common.py
diff --git a/.github/workflows/scripts/spec-review/create_check_annotations.py b/scripts/ci/spec-review/create_check_annotations.py
similarity index 100%
rename from .github/workflows/scripts/spec-review/create_check_annotations.py
rename to scripts/ci/spec-review/create_check_annotations.py
diff --git a/.github/workflows/scripts/spec-review/format_pr_comment.py b/scripts/ci/spec-review/format_pr_comment.py
similarity index 100%
rename from .github/workflows/scripts/spec-review/format_pr_comment.py
rename to scripts/ci/spec-review/format_pr_comment.py
diff --git a/.github/workflows/scripts/spec-review/requirements.txt b/scripts/ci/spec-review/requirements.txt
similarity index 100%
rename from .github/workflows/scripts/spec-review/requirements.txt
rename to scripts/ci/spec-review/requirements.txt
diff --git a/.github/workflows/scripts/spec-review/spec_review.sh b/scripts/ci/spec-review/spec_review.sh
similarity index 100%
rename from .github/workflows/scripts/spec-review/spec_review.sh
rename to scripts/ci/spec-review/spec_review.sh
diff --git a/.github/workflows/scripts/spec-review/spec_review_multi.sh b/scripts/ci/spec-review/spec_review_multi.sh
similarity index 100%
rename from .github/workflows/scripts/spec-review/spec_review_multi.sh
rename to scripts/ci/spec-review/spec_review_multi.sh
diff --git a/.github/workflows/scripts/spec-review/spec_review_schema.py b/scripts/ci/spec-review/spec_review_schema.py
similarity index 100%
rename from .github/workflows/scripts/spec-review/spec_review_schema.py
rename to scripts/ci/spec-review/spec_review_schema.py

From 60cc2486bbfcf4c4fe43cb22c133ebf48526ec6d Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Fri, 29 May 2026 18:12:26 -0700
Subject: [PATCH 3/4] refactor(ci): point references at scripts/ci/

Update all callers, dependabot.yml, and instruction docs to the new
scripts/ci/ location. dependabot pip ecosystem uses a single recursive
/scripts/** glob covering scripts/ci/{control-tower,spec-review} and
scripts/mcps. Add cooldown (delay new releases to catch bad ones) and
group all python tooling bumps into one PR.
---
 .github/dependabot.yml                        | 16 +++++++++++--
 .../instructions/ado-pipeline.instructions.md | 18 +++++++-------
 .../pr-check-workflows.instructions.md        |  2 +-
 .github/workflows/ado/sources-upload.yml      |  4 ++--
 .../ado/templates/sources-upload-stages.yml   | 10 ++++----
 .github/workflows/check-rendered-specs.yml    |  8 +++----
 .github/workflows/spec-review.disabled        | 20 ++++++++--------
 scripts/ci/components/README.md               |  2 +-
 scripts/ci/spec-review/README.md              | 24 +++++++++----------
 scripts/ci/spec-review/format_pr_comment.py   |  2 +-
 scripts/ci/spec-review/spec_review.sh         |  2 +-
 scripts/ci/spec-review/spec_review_multi.sh   |  2 +-
 12 files changed, 61 insertions(+), 49 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3c69c1a0cd6..b0e1cfa3aef 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,14 +7,23 @@ updates:
   # `directory` (singular) does NOT support globbing.
   - package-ecosystem: pip
     directories:
-      - /.github/workflows/scripts/*
-      - /scripts/*
+      - /scripts/**
     schedule:
       interval: weekly
     open-pull-requests-limit: 5
     labels:
       - dependencies
       - python
+    # Wait until a release has been public for a few days before opening a PR,
+    # so yanked/broken releases get caught upstream first. Majors wait longer.
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+    # Bundle all python tooling bumps into a single PR per run.
+    groups:
+      python:
+        patterns:
+          - "*"
 
   # GitHub Actions used by PR-check workflows.
   - package-ecosystem: github-actions
@@ -25,6 +34,9 @@ updates:
     labels:
       - dependencies
       - github-actions
+    # github-actions cooldown only supports a flat default-days (no semver granularity).
+    cooldown:
+      default-days: 7
     groups:
       actions:
         patterns:
diff --git a/.github/instructions/ado-pipeline.instructions.md b/.github/instructions/ado-pipeline.instructions.md
index f72bbf479a9..2c07de5c78f 100644
--- a/.github/instructions/ado-pipeline.instructions.md
+++ b/.github/instructions/ado-pipeline.instructions.md
@@ -1,16 +1,16 @@
 ---
-applyTo: ".github/workflows/ado/*.yml,.github/workflows/ado/templates/*.yml,.github/workflows/scripts/**"
-description: "Authoring and maintenance rules for Azure DevOps YAML pipelines under .github/workflows/ado/ (wrappers + raw stage templates under templates/) and their helper scripts under .github/workflows/scripts/ that run as GitHub PR checks or in the merge queue. Apply when creating or modifying any pipeline in that folder, or any script invoked by one — covers the wrapper/raw split, required OneBranch templates (Official vs NonOfficial), Workload Identity Federation service connections, Control Tower audience URIs, internal-only dependency sources (Go / Python / container images), Python-over-shell scripting, and security hardening."
+applyTo: ".github/workflows/ado/*.yml,.github/workflows/ado/templates/*.yml,scripts/ci/**"
+description: "Authoring and maintenance rules for Azure DevOps YAML pipelines under .github/workflows/ado/ (wrappers + raw stage templates under templates/) and their helper scripts under scripts/ci/ that run as GitHub PR checks or in the merge queue. Apply when creating or modifying any pipeline in that folder, or any script invoked by one — covers the wrapper/raw split, required OneBranch templates (Official vs NonOfficial), Workload Identity Federation service connections, Control Tower audience URIs, internal-only dependency sources (Go / Python / container images), Python-over-shell scripting, and security hardening."
 ---
 
 # Azure DevOps Pipelines (PR check & merge queue)
 
-These instructions cover ADO YAML pipelines under `.github/workflows/ado/` that run as GitHub PR checks or in the merge queue, plus their helper scripts under `.github/workflows/scripts/`. Follow every MUST below — they encode internal Microsoft policy plus security hardening for this repo.
+These instructions cover ADO YAML pipelines under `.github/workflows/ado/` that run as GitHub PR checks or in the merge queue, plus their helper scripts under `scripts/ci/`. Follow every MUST below — they encode internal Microsoft policy plus security hardening for this repo.
 
-Helper scripts invoked from these pipelines MUST live under `.github/workflows/scripts/<area>/`. Two layouts are supported:
+Helper scripts invoked from these pipelines MUST live under `scripts/ci/<area>/`. Two layouts are supported:
 
 1. **Per-pipeline** — `<area>/` is a logical area or pipeline name (e.g. `control-tower/`, `render-specs-check/`). The default.
-2. **Cross-pipeline shared** — `<area>/` = `components/`. Helpers here are deliberately consumed by multiple pipelines (GitHub Actions PR gates AND the ADO Control Tower pipeline). See [`.github/workflows/scripts/components/README.md`](../workflows/scripts/components/README.md) for the caller contract. A regression in this area breaks multiple gates at once, so changes need extra care.
+2. **Cross-pipeline shared** — `<area>/` = `components/`. Helpers here are deliberately consumed by multiple pipelines (GitHub Actions PR gates AND the ADO Control Tower pipeline). See [`scripts/ci/components/README.md`](../../scripts/ci/components/README.md) for the caller contract. A regression in this area breaks multiple gates at once, so changes need extra care.
 
 In either case, keep helpers self-contained and follow the same security hardening rules as the pipeline YAML itself.
 
@@ -159,7 +159,7 @@ The authoritative list and rules live at https://eng.ms/docs/more/containers-sec
 
 ## Scripting
 
-Avoid shell scripts beyond the smallest possible wiring (env exports, `##vso[...]` log commands, single-command tool invocations). For anything more complex — argument parsing, control flow, JSON/YAML handling, HTTP, branch-name/SHA parsing — write a **Python script** under `.github/workflows/scripts/<area>/` and invoke it from the pipeline:
+Avoid shell scripts beyond the smallest possible wiring (env exports, `##vso[...]` log commands, single-command tool invocations). For anything more complex — argument parsing, control flow, JSON/YAML handling, HTTP, branch-name/SHA parsing — write a **Python script** under `scripts/ci/<area>/` and invoke it from the pipeline:
 
 ```yaml
 - task: AzureCLI@2
@@ -170,7 +170,7 @@ Avoid shell scripts beyond the smallest possible wiring (env exports, `##vso[...
     scriptLocation: inlineScript
     inlineScript: |
       set -euo pipefail
-      python3 .github/workflows/scripts/<area>/<script>.py \
+      python3 scripts/ci/<area>/<script>.py \
         --api-audience "$API_AUDIENCE" \
         --api-base-url "$API_BASE_URL"
   env:
@@ -291,7 +291,7 @@ stages:
               scriptLocation: inlineScript
               inlineScript: |
                 set -euo pipefail
-                python3 .github/workflows/scripts/<area>/<script>.py \
+                python3 scripts/ci/<area>/<script>.py \
                   --api-audience "$API_AUDIENCE" \
                   --api-base-url "$API_BASE_URL"
             env:
@@ -314,6 +314,6 @@ Run through this list whenever you add or modify a pipeline in `.github/workflow
 - [ ] All Azure / Control Tower access goes through `AzureCLI@2` with a least-privilege Service Connection (WIF/OIDC). No PATs or password logins.
 - [ ] Control Tower calls use the correct **per-environment audience URI** sourced from a variable group; nothing hardcoded.
 - [ ] No upstream dependency pulls: Go uses `internalModuleProxy`, Python uses `PipAuthenticate@1`, container images come from `mcr.microsoft.com`.
-- [ ] Any non-trivial logic lives in a Python script under `.github/workflows/scripts/`, not inline bash.
+- [ ] Any non-trivial logic lives in a Python script under `scripts/ci/`, not inline bash.
 - [ ] Secrets passed via `env:` (never inline `$(...)`); `set -euo pipefail` in shell blocks; tool versions pinned (only `GovernedTemplates@main` exempted).
 - [ ] Explicit `timeoutInMinutes` on each job; PR-supplied inputs validated with strict regex.
diff --git a/.github/instructions/pr-check-workflows.instructions.md b/.github/instructions/pr-check-workflows.instructions.md
index c2f0acf559b..41fe37d9efa 100644
--- a/.github/instructions/pr-check-workflows.instructions.md
+++ b/.github/instructions/pr-check-workflows.instructions.md
@@ -52,7 +52,7 @@ Build it with the caller's UID so bind-mounted writes don't end up root-owned:
 | ----- | ---- | ------- |
 | `pr-head/` → `/workdir` | rw | PR checkout. rw because `azldev` writes to `specs/`, `base/build/`, etc. |
 | `<host-output-dir>/` → `/output` | rw | Trusted-shape outputs (JSON reports, patches, ...) the container produces for the host to consume after the run. |
-| `.github/workflows/scripts/<area>/` → `/scripts` | ro | Helper scripts from the trusted base checkout. Mount the narrowest subdirectory the container actually needs — do **not** bind-mount the whole `scripts/` tree if only one area is invoked inside. |
+| `scripts/ci/<area>/` → `/scripts` | ro | Helper scripts from the trusted base checkout. Mount the narrowest subdirectory the container actually needs — do **not** bind-mount the whole `scripts/` tree if only one area is invoked inside. |
 
 #### Sandbox flags (minimum viable for `mock`)
 
diff --git a/.github/workflows/ado/sources-upload.yml b/.github/workflows/ado/sources-upload.yml
index 778444887d7..9d7f562e8be 100644
--- a/.github/workflows/ado/sources-upload.yml
+++ b/.github/workflows/ado/sources-upload.yml
@@ -13,8 +13,8 @@
 #      from the merge queue, not here.
 #   2. Submit scratch package builds for changed components.
 #
-# Helper scripts live under .github/workflows/scripts/control-tower/
-# (Control Tower-specific) and .github/workflows/scripts/components/
+# Helper scripts live under scripts/ci/control-tower/
+# (Control Tower-specific) and scripts/ci/components/
 # (cross-pipeline azldev helpers shared with the GH Actions PR gates).
 #
 # Prerequisites (ADO / Azure Portal):
diff --git a/.github/workflows/ado/templates/sources-upload-stages.yml b/.github/workflows/ado/templates/sources-upload-stages.yml
index cb9707fd7a2..e0ef83cd99c 100644
--- a/.github/workflows/ado/templates/sources-upload-stages.yml
+++ b/.github/workflows/ado/templates/sources-upload-stages.yml
@@ -112,7 +112,7 @@ stages:
               echo "##[endgroup]"
 
               echo "##[group]Python dependencies"
-              pip install -r .github/workflows/scripts/control-tower/requirements.txt
+              pip install -r scripts/ci/control-tower/requirements.txt
               echo "##[endgroup]"
             displayName: "Install dependencies"
 
@@ -120,7 +120,7 @@ stages:
           # writing, exits nonzero if any lock would change.
           - script: |
               set -euo pipefail
-              .github/workflows/scripts/control-tower/verify_locks.sh \
+              scripts/ci/control-tower/verify_locks.sh \
                 --output-file "$(Build.ArtifactStagingDirectory)/lock-update.json" \
                 --publish-dir "$(ob_outputDirectory)"
             displayName: "Verify lock files are up to date"
@@ -168,7 +168,7 @@ stages:
               trap publish_artifact EXIT
 
               echo "##[group]Preparing change set"
-              .github/workflows/scripts/components/compute_change_set.sh \
+              scripts/ci/components/compute_change_set.sh \
                 --output-dir "$change_set_dir" \
                 --source-commit "$(sourceCommit)" \
                 --target-commit "$(targetCommit)"
@@ -232,7 +232,7 @@ stages:
               inlineScript: |
                 set -euo pipefail
 
-                python3 .github/workflows/scripts/control-tower/run_prcheck.py \
+                python3 scripts/ci/control-tower/run_prcheck.py \
                   --api-audience "$API_AUDIENCE" \
                   --api-base-url "$API_BASE_URL" \
                   --build-reason "$BUILD_REASON" \
@@ -259,7 +259,7 @@ stages:
               inlineScript: |
                 set -euo pipefail
 
-                python3 .github/workflows/scripts/control-tower/run_package_build.py \
+                python3 scripts/ci/control-tower/run_package_build.py \
                   --api-audience "$API_AUDIENCE" \
                   --api-base-url "$API_BASE_URL" \
                   --build-reason "$BUILD_REASON" \
diff --git a/.github/workflows/check-rendered-specs.yml b/.github/workflows/check-rendered-specs.yml
index e81a7b66e04..f62048a197c 100644
--- a/.github/workflows/check-rendered-specs.yml
+++ b/.github/workflows/check-rendered-specs.yml
@@ -227,7 +227,7 @@ jobs:
           PATCH_URL: ${{ needs.update_locks.outputs.patch-url }}
           RUN_ID: ${{ github.run_id }}
         run: |
-          python .github/workflows/scripts/locks-check/post_locks_comment.py \
+          python scripts/ci/locks-check/post_locks_comment.py \
             --repo "$PR_REPO" \
             --pr "$PR_NUMBER" \
             --update-output update-output/update-output.json \
@@ -341,8 +341,8 @@ jobs:
             --security-opt apparmor=unconfined \
             -v "$WORKSPACE/pr-head:/workdir" \
             -v "$WORKSPACE/render-output:/output" \
-            -v "$WORKSPACE/.github/workflows/scripts/render-specs-check:/scripts-render:ro" \
-            -v "$WORKSPACE/.github/workflows/scripts/components:/scripts-components:ro" \
+            -v "$WORKSPACE/scripts/ci/render-specs-check:/scripts-render:ro" \
+            -v "$WORKSPACE/scripts/ci/components:/scripts-components:ro" \
             -e PR_BASE_SHA \
             -e PR_HEAD_SHA \
             -e BASE_REPO \
@@ -512,7 +512,7 @@ jobs:
           PATCH_URL: ${{ needs.render.outputs.patch-url }}
           RUN_ID: ${{ github.run_id }}
         run: |
-          python .github/workflows/scripts/render-specs-check/post_render_comment.py \
+          python scripts/ci/render-specs-check/post_render_comment.py \
             --repo "$PR_REPO" \
             --pr "$PR_NUMBER" \
             --report render-output/render-check-report.json \
diff --git a/.github/workflows/spec-review.disabled b/.github/workflows/spec-review.disabled
index f9415b9ef97..c28b947f8d1 100644
--- a/.github/workflows/spec-review.disabled
+++ b/.github/workflows/spec-review.disabled
@@ -146,7 +146,7 @@ jobs:
 
       - name: Install dependencies
         if: steps.changed-specs.outputs.skip != 'true'
-        run: pip install -r .github/workflows/scripts/spec-review/requirements.txt
+        run: pip install -r scripts/ci/spec-review/requirements.txt
 
       - name: Install Copilot CLI
         if: steps.changed-specs.outputs.skip != 'true'
@@ -154,18 +154,18 @@ jobs:
           npm i -g @github/copilot
           copilot --version
 
-      # Local developer guide: .github/workflows/scripts/spec-review/README.md
+      # Local developer guide: scripts/ci/spec-review/README.md
       - name: Run Copilot spec review (multi-model)
         if: steps.changed-specs.outputs.skip != 'true'
         run: |
-          chmod +x .github/workflows/scripts/spec-review/spec_review_multi.sh
+          chmod +x scripts/ci/spec-review/spec_review_multi.sh
           # Build a properly-quoted array from the line-delimited spec list file
           SPEC_ARGS=()
           while IFS= read -r spec; do
             [[ -z "$spec" ]] && continue
             SPEC_ARGS+=("--spec" "$spec")
           done < .spec_review_paths.txt
-          .github/workflows/scripts/spec-review/spec_review_multi.sh "${SPEC_ARGS[@]}" \
+          scripts/ci/spec-review/spec_review_multi.sh "${SPEC_ARGS[@]}" \
             --work-dir .spec_review/workdir
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -218,7 +218,7 @@ jobs:
         run: |
           # NOTE: Label model names must match defaults in spec-review/spec_review_multi.sh
           # (DEFAULT_MODEL1, DEFAULT_MODEL2, DEFAULT_SYNTH_MODEL)
-          python .github/workflows/scripts/spec-review/spec_review_schema.py compare \
+          python scripts/ci/spec-review/spec_review_schema.py compare \
             .spec_review/workdir/report_a.json \
             .spec_review/workdir/report_b.json \
             .spec_review/report.json \
@@ -232,7 +232,7 @@ jobs:
         id: validate
         run: |
           # Validate JSON structure
-          python .github/workflows/scripts/spec-review/spec_review_schema.py .spec_review/report.json --json
+          python scripts/ci/spec-review/spec_review_schema.py .spec_review/report.json --json
 
           # Count errors and warnings
           ERROR_COUNT=$(jq '[.spec_reviews[].errors | length] | add // 0' .spec_review/report.json)
@@ -251,7 +251,7 @@ jobs:
         if: steps.changed-specs.outputs.skip != 'true'
         run: |
           # Generate workflow commands that create inline annotations
-          python .github/workflows/scripts/spec-review/create_check_annotations.py .spec_review/report.json \
+          python scripts/ci/spec-review/create_check_annotations.py .spec_review/report.json \
             --repo-root "$GITHUB_WORKSPACE" --workflow-commands
 
       - name: Post PR comment
@@ -264,7 +264,7 @@ jobs:
         run: |
           # Generate formatted comment to a temp file (avoids ARG_MAX issues with large comments)
           COMMENT_FILE=$(mktemp)
-          python .github/workflows/scripts/spec-review/format_pr_comment.py \
+          python scripts/ci/spec-review/format_pr_comment.py \
             .spec_review/report.json \
             --repo "$REPO" \
             --sha "$HEAD_SHA" \
@@ -295,7 +295,7 @@ jobs:
           REPO: ${{ inputs.repo || github.repository }}
           HEAD_SHA: ${{ inputs.pr-head-sha || github.sha }}
         run: |
-          python .github/workflows/scripts/spec-review/format_pr_comment.py \
+          python scripts/ci/spec-review/format_pr_comment.py \
             .spec_review/report.json \
             --repo "$REPO" \
             --sha "$HEAD_SHA" \
@@ -320,5 +320,5 @@ jobs:
           echo "Found ${ERROR_COUNT} error(s) in spec review"
           echo ""
           # Print all findings so "View details" shows everything
-          python .github/workflows/scripts/spec-review/spec_review_schema.py .spec_review/report.json --all
+          python scripts/ci/spec-review/spec_review_schema.py .spec_review/report.json --all
           exit 1
diff --git a/scripts/ci/components/README.md b/scripts/ci/components/README.md
index a2fe84510e6..c7db2dd173a 100644
--- a/scripts/ci/components/README.md
+++ b/scripts/ci/components/README.md
@@ -18,7 +18,7 @@ Control Tower integration pipeline
   upload the output dir as they see fit.
 - **azldev as root.** All `azldev` invocations use an inline
   `AZLDEV_ALLOW_ROOT=1` prefix per
-  [`ado-pipeline.instructions.md`](../../../instructions/ado-pipeline.instructions.md).
+  [`ado-pipeline.instructions.md`](../../../.github/instructions/ado-pipeline.instructions.md).
   Callers do **not** set this at step scope.
 - **Single source of truth.** Both pipelines should call these scripts
   rather than re-implementing the change-set computation. A regression
diff --git a/scripts/ci/spec-review/README.md b/scripts/ci/spec-review/README.md
index 00037382804..9c9fe72f83a 100644
--- a/scripts/ci/spec-review/README.md
+++ b/scripts/ci/spec-review/README.md
@@ -6,13 +6,13 @@ There are three major paths:
 
 1. **[Use VS Code / Copilot Chat](#use-vs-code--copilot-chat)** (interactive, most flexible)
 2. **[Run the shell scripts](#run-single-model-review-spec_reviewsh)** (single or multi-model, automated)
-3. **[Use Copilot CLI manually](#use-copilot-cli-manually)** (interactive, most flexible, scriptable)
+3. **[Use Copilot CLI manually](#use-copilot-cli-manually-interactive-most-flexible-scriptable)** (interactive, most flexible, scriptable)
 
 ---
 
 ## Use VS Code / Copilot Chat
 
-The easiest way to get quick, interactive feedback is with [GitHub Copilot](https://github.com/features/copilot) in VS Code (or via [Copilot CLI](#use-copilot-cli-manually)). The `spec-review` agent is designed to review spec files and provide feedback in a structured format the same way as the shell scripts, but with the added benefit of a conversational interface where you can ask follow-up questions, request clarifications, or dive deeper into specific issues.
+The easiest way to get quick, interactive feedback is with [GitHub Copilot](https://github.com/features/copilot) in VS Code (or via [Copilot CLI](#use-copilot-cli-manually-interactive-most-flexible-scriptable)). The `spec-review` agent is designed to review spec files and provide feedback in a structured format the same way as the shell scripts, but with the added benefit of a conversational interface where you can ask follow-up questions, request clarifications, or dive deeper into specific issues.
 
 1. Open this repo in VS Code with **GitHub Copilot Chat**.
 2. In Copilot Chat, select the **`spec-review`** agent (bottom left corner of the chat window, "Agent", "Ask", "Edit", "Plan", etc.)
@@ -38,7 +38,7 @@ The easiest way to get quick, interactive feedback is with [GitHub Copilot](http
 ```bash
 cd ~/repos/azurelinux
 python -m venv .venv && source .venv/bin/activate
-pip install -r .github/workflows/scripts/spec-review/requirements.txt
+pip install -r scripts/ci/spec-review/requirements.txt
     gh copilot
     # OR
     npm install -g @github/copilot
@@ -51,19 +51,19 @@ copilot --version  # verify CLI
 # Defaults: reviews all *.spec in repo, writes to repo root
 #   spec_review_report.json, copilot_log.md, spec_review_kb.md
 
-./.github/workflows/scripts/spec-review/spec_review.sh \
+./scripts/ci/spec-review/spec_review.sh \
   --spec base/comps/azurelinux-release/azurelinux-release.spec \
   --spec base/comps/azurelinux-repos/azurelinux-repos.spec
 
 # Validate / inspect
-python .github/workflows/scripts/spec-review/spec_review_schema.py /tmp/spec_review_report.json --all
-python .github/workflows/scripts/spec-review/spec_review_schema.py /tmp/spec_review_report.json --json | jq
+python scripts/ci/spec-review/spec_review_schema.py /tmp/spec_review_report.json --all
+python scripts/ci/spec-review/spec_review_schema.py /tmp/spec_review_report.json --json | jq
 ```
 
 The script supports additional options (like selecting a model, or using different URLs); run with `--help` for details.
 
 ```bash
-./.github/workflows/scripts/spec-review/spec_review.sh --help
+./scripts/ci/spec-review/spec_review.sh --help
 ```
 
 ## Run multi-model review (spec_review_multi.sh)
@@ -79,11 +79,11 @@ uses a third model pass to synthesize their findings into a single high-quality
 
 ```bash
 # Defaults: claude-opus-4.6 + gpt-5.2-codex reviewers, gpt-5.2-codex synthesizer
-./.github/workflows/scripts/spec-review/spec_review_multi.sh \
+./scripts/ci/spec-review/spec_review_multi.sh \
   --spec base/comps/azurelinux-release/azurelinux-release.spec
 
 # Custom models
-./.github/workflows/scripts/spec-review/spec_review_multi.sh \
+./scripts/ci/spec-review/spec_review_multi.sh \
   --spec foo.spec \
   --model1 gpt-5.2-codex \
   --model2 claude-opus-4.6 \
@@ -101,7 +101,7 @@ ls /tmp/spec_review_workdir/
 Run with `--help` for all options:
 
 ```bash
-./.github/workflows/scripts/spec-review/spec_review_multi.sh --help
+./scripts/ci/spec-review/spec_review_multi.sh --help
 ```
 
 ---
@@ -119,7 +119,7 @@ copilot --agent spec-review
 ```bash
 # For semi-automated or fully automated runs, use -i or -p flags:
 prompt="Review: base/comps/azurelinux-release/azurelinux-release.spec against packaging guidelines.\n"\
-"Write JSON to spec_review_report.json and validate with: python .github/workflows/scripts/spec-review/spec_review_schema.py spec_review_report.json"
+"Write JSON to spec_review_report.json and validate with: python scripts/ci/spec-review/spec_review_schema.py spec_review_report.json"
 
 # Semi-interactive (runs prompt, then waits for the user)
 copilot --agent spec-review \
@@ -144,7 +144,7 @@ copilot --agent spec-review \
   -p "$prompt"
 
 # Review output
-python .github/workflows/scripts/spec-review/spec_review_schema.py spec_review_report.json --all
+python scripts/ci/spec-review/spec_review_schema.py spec_review_report.json --all
 ```
 
 ## Future work
diff --git a/scripts/ci/spec-review/format_pr_comment.py b/scripts/ci/spec-review/format_pr_comment.py
index e85cb56a17c..af689ace4ae 100755
--- a/scripts/ci/spec-review/format_pr_comment.py
+++ b/scripts/ci/spec-review/format_pr_comment.py
@@ -46,7 +46,7 @@ def format_comment(report: dict, repo: str, sha: str, repo_root: Optional[Path]
         f"| Warnings | {total_warnings} |",
         f"| Suggestions | {total_suggestions} |",
         "",
-        f"🛠️ Debug locally: [.github/workflows/scripts/spec-review/README.md](https://github.com/{repo}/blob/{sha}/.github/workflows/scripts/spec-review/README.md)",
+        f"🛠️ Debug locally: [scripts/ci/spec-review/README.md](https://github.com/{repo}/blob/{sha}/scripts/ci/spec-review/README.md)",
         "",
     ]
 
diff --git a/scripts/ci/spec-review/spec_review.sh b/scripts/ci/spec-review/spec_review.sh
index 918b7cd778a..395cf16923d 100755
--- a/scripts/ci/spec-review/spec_review.sh
+++ b/scripts/ci/spec-review/spec_review.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# See .github/workflows/scripts/spec-review/README.md for local usage and troubleshooting.
+# See scripts/ci/spec-review/README.md for local usage and troubleshooting.
 #
 # Args: --spec <spec_file1> --spec <spec_file2> ... --url <guideline_url1> --url <guideline_url2> --output <output_file> --log <log_file> --knowledge-base <knowledge_base_file>
 
diff --git a/scripts/ci/spec-review/spec_review_multi.sh b/scripts/ci/spec-review/spec_review_multi.sh
index 8f3565241d8..1d7c5f13a30 100755
--- a/scripts/ci/spec-review/spec_review_multi.sh
+++ b/scripts/ci/spec-review/spec_review_multi.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Multi-model spec review: runs two models sequentially, then synthesizes results.
-# See .github/workflows/scripts/spec-review/README.md for usage.
+# See scripts/ci/spec-review/README.md for usage.
 
 set -euo pipefail
 

From d02a2baba556aa2a5302bfeb6ee275961e66cb82 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Fri, 29 May 2026 18:46:24 -0700
Subject: [PATCH 4/4] ci: pin tooling deps and add dependency smoke test

Pin the previously-loose pip deps (pydantic==2.13.4, mcp==1.27.2,
python-dotenv==1.2.2) so Dependabot bumps from a concrete baseline.
Add a Dependency Smoke Test workflow that installs each requirements.txt
in a clean venv, py_compiles the scripts, and imports them to catch a
bad bump (or new python) breaking the helper scripts. Triggers on
requirements.txt and *.py changes under scripts/.
---
 .github/workflows/dependency-smoke.yml  | 74 +++++++++++++++++++++++++
 scripts/ci/spec-review/requirements.txt |  2 +-
 scripts/mcps/requirements.txt           |  4 +-
 3 files changed, 77 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/dependency-smoke.yml

diff --git a/.github/workflows/dependency-smoke.yml b/.github/workflows/dependency-smoke.yml
new file mode 100644
index 00000000000..f376cb68897
--- /dev/null
+++ b/.github/workflows/dependency-smoke.yml
@@ -0,0 +1,74 @@
+name: "Dependency Smoke Test"
+
+# Sanity-check that the pip-installed helper scripts still install and import
+# after a dependency bump. Primarily a guard for Dependabot PRs that touch a
+# requirements.txt, but also runs on any edit to the scripts themselves.
+on:
+  pull_request:
+    paths:
+      - "scripts/**/requirements.txt"
+      - "scripts/**/*.py"
+      - ".github/workflows/dependency-smoke.yml"
+
+# Cancel in-progress runs of this workflow if a new run is triggered.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  smoke:
+    name: "Smoke: ${{ matrix.dir }}"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        dir:
+          - scripts/ci/control-tower
+          - scripts/ci/spec-review
+          - scripts/mcps
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Install and smoke-test
+        env:
+          DIR: ${{ matrix.dir }}
+        run: |
+          set -euo pipefail
+          cd "$DIR"
+
+          # A clean venv ensures we exercise exactly the pinned requirements.
+          python3 -m venv .smoke-venv
+          # shellcheck disable=SC1091
+          . .smoke-venv/bin/activate
+          python -m pip install --quiet --upgrade pip
+          pip install --quiet -r requirements.txt
+
+          shopt -s nullglob
+          scripts=( *.py )
+          if (( ${#scripts[@]} == 0 )); then
+            echo "No python scripts in $DIR; install-only smoke passed."
+            exit 0
+          fi
+
+          # Syntax-compile every script (works regardless of filename).
+          python -m py_compile "${scripts[@]}"
+
+          # Import each importable module to exercise the bumped dependencies.
+          # Skip files whose name is not a valid module identifier (e.g. hyphenated).
+          for f in "${scripts[@]}"; do
+            mod="${f%.py}"
+            case "$mod" in
+              *[!a-zA-Z0-9_]*)
+                echo "skip import: $f (filename is not a valid module name)"
+                continue
+                ;;
+            esac
+            echo "import $mod"
+            python -c "import $mod"
+          done
diff --git a/scripts/ci/spec-review/requirements.txt b/scripts/ci/spec-review/requirements.txt
index 3381d938279..4b5fe4d67d6 100644
--- a/scripts/ci/spec-review/requirements.txt
+++ b/scripts/ci/spec-review/requirements.txt
@@ -1 +1 @@
-pydantic>=2.0
+pydantic==2.13.4
diff --git a/scripts/mcps/requirements.txt b/scripts/mcps/requirements.txt
index 79c5363627e..27e4acae557 100644
--- a/scripts/mcps/requirements.txt
+++ b/scripts/mcps/requirements.txt
@@ -1,2 +1,2 @@
-mcp
-python-dotenv
+mcp==1.27.2
+python-dotenv==1.2.2