docs: sharpen workflow-authoring guidance for PR scoping, backend compatibility checks, and coverage fallback networking (#39622)

* Initial plan

* docs: refine persona-driven workflow creation guidance

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

Author: Copilot

.github/aw/create-agentic-workflow.md

@@ -85,11 +85,19 @@ Use [workflow-patterns.md](workflow-patterns.md) for trigger-selection guidance.
 
 Compact scenario examples:
 
-- **Schema review on PRs**: trigger `pull_request`, read via `github` (`gh-proxy`), publish findings with `add-comment`, call `noop` when schema is unchanged.
+- **Schema/API review on PRs**: trigger `pull_request` with `paths:` scoped to backend contract files (for example `db/migrate/**`, `migrations/**`, `schema/**`, `openapi/**`, `api/**`), read via `github` (`gh-proxy`), publish findings with `add-comment`, call `noop` when contracts are unchanged.
 - **Visual regression on UI changes**: trigger `pull_request`, use `playwright` + `cache-memory`, keep writes in `add-comment`, call `noop` when UI paths are unchanged.
 - **Deployment incident triage**: use `deployment_status` for external provider failures and `workflow_run` for GitHub Actions failures, publish incident reports via `create-issue`, call `noop` when a failure self-recovers or is duplicate noise.
 - **Product/stakeholder digest**: use fuzzy `schedule` plus optional `workflow_dispatch`, publish digest with `create-issue`, call `noop` when there are no updates in the date window.
 
+### 2a. Backend review compact guidance
+
+For backend-focused PR automation (schema migrations and API compatibility):
+
+- scope `pull_request.paths` to backend contract indicators instead of whole-repo review
+- instruct the agent to classify changes as additive, backward-compatible, or breaking, then report only actionable risks
+- include explicit `noop` criteria when no migration/API contract files changed
+
 ### 3. Keep permissions read-only
 
 The main agent job must stay read-only.
@@ -269,7 +277,7 @@ Before finalizing any newly generated workflow, verify:
 
 Before finalizing any newly generated workflow, verify:
 
-- [ ] **Paths scope**: include `paths:`/`paths-ignore:` when the automation should ignore unrelated files
+- [ ] **Paths scope**: include `paths:`/`paths-ignore:` when the automation should ignore unrelated files (for backend reviews, include migration/schema/API contract globs)
 - [ ] **Labels scope**: define required labels (for example `label_command` names or PR/issue label filters) when label-based routing is expected
 - [ ] **Workflow-name scope**: for `workflow_run`, explicitly name target workflows and conclusions to avoid accidental matches
 - [ ] **Date-window scope**: for reporting/triage, state the exact window (for example `last 24h`, `since previous run`, `current week`)

.github/aw/test-coverage.md

@@ -45,6 +45,19 @@ safe-outputs:
 
 Use **only when** no prior CI artifact exists or CI doesn't upload coverage. Supported commands:
 
+- infer the repository ecosystem from project files before running fallback coverage
+- configure `network.allowed` to include `defaults` plus the inferred ecosystem(s) (for example `node`, `python`, `go`)
+- never run fallback coverage with `network: defaults` alone
+
+Example fallback network config:
+
+```yaml
+network:
+  allowed:
+    - defaults
+    - node
+```
+
 | Language | Command |
 |---|---|
 | Node.js | `npx jest --coverage --coverageReporters=json-summary` |