Add agentic workflow for labelling azd extension PRs

[JeffreyCA]

This PR introduces a GitHub Agentic Workflow and adds an extension-focused PR labeler for first-party azd extensions under cli/azd/extensions/** and closely related Azure AI design docs.

Note

This workflow uses safe-outputs.add-labels.allowed: [area/extensions, ext-*] so new extension labels can be picked up without editing the workflow each time. Runtime glob matching for allowed was added in github/gh-aw#32027, and this PR now pins and compiles with gh-aw v0.74.4 to pick up that fix.

• Recompiled workflow with gh-aw v0.74.4 after Support glob patterns in allowed label filters for safe-outputs github/gh-aw#32027 was released

What changes

• Adds an Agentic Workflow that runs for PRs touching cli/azd/extensions/** or cli/azd/docs/**.
• Infers related extension IDs from extension folder names, explicit IDs in docs, and strongly related doc topics.
• Applies the matching ext-* label for mapped extension IDs.
• Applies multiple ext-* labels when a PR relates to multiple mapped extension IDs.
• Falls back to area/extensions when extension-related changes do not match a current ext-* mapping.

Agentic Workflow setup

Because this is the first Agentic Workflow in the repository, this PR also includes the required gh-aw setup artifacts generated from gh aw init:

• Agent instructions/configuration
• MCP configuration
• Action pin metadata
• Lock-file Git attributes
• Copilot setup changes to install the gh-aw CLI

These files support compiling and maintaining the generated workflow lock file and make future Agentic Workflow changes reproducible for reviewers and agents.

Safety and references

The workflow follows gh-aw guidance for Markdown-based workflows, compiled lock files, read-only agent permissions, and GitHub writes through safe-outputs.add-labels:

• https://raw.githubusercontent.com/github/gh-aw/main/create.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/safe-outputs.md
• https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/triggers.md

Operational note: the default Copilot engine uses the COPILOT_GITHUB_TOKEN GitHub Actions secret for Copilot CLI authentication. The current PAT expires on August 12, 2026 and should be renewed/rotated before then using the gh-aw AI engine secret guidance:

• https://github.github.com/gh-aw/reference/auth/#github-actions-secrets-for-ai-engines

Validation

Tested and verified on fork repo PR

[jongio]

The security model here is solid - read-only agent permissions, safe-outputs constrained to add_labels with an allowlist, team membership gating in pre_activation, and AWF firewall sandboxing. pull_request_target is the right trigger since this needs to label fork PRs too.

One question on the doc version references in the agent instructions file - see inline comment.

nit: .github/mcp.json is missing a trailing newline.