Creating agent definition files
Creating agent definition files
Section titled “Creating agent definition files”This guide shows how to create an ado-aw agent file from scratch.
An agent file is a Markdown document with YAML front matter at the top:
- YAML front matter configures the pipeline
- Markdown body becomes the agent’s instructions
Start with the smallest useful file
Section titled “Start with the smallest useful file”Create a file such as my-agent.md:
---name: "my-agent"description: "Describes what this agent does"engine: copilotpool: AZS-1ES-L-MMS-ubuntu-22.04---
Your agent prompt goes here in markdown. This is what the AI agent will seeas its instructions when the pipeline runs.That is enough to define an agent. The compiler reads the front matter, then uses the Markdown body as the prompt.
Understand the structure
Section titled “Understand the structure”A typical file looks like this:
---name: "dependency-updater"description: "Updates dependencies and proposes safe changes"on: schedule: weekly on monday---
## Dependency updater
Review outdated dependencies, make safe updates, run relevant checks, andsummarize the result.Use the front matter for configuration and keep the body focused on what the agent should do.
Add tools
Section titled “Add tools”Use tools: to control what the agent can do.
tools: bash: ["git", "ls", "cat", "grep", "cargo"] edit: true cache-memory: true azure-devops: trueBash allow-list
Section titled “Bash allow-list”Use tools.bash when you want to restrict shell access to specific commands:
tools: bash: ["git", "npm", "node", "grep"]Use an empty list to disable bash entirely:
tools: bash: []Edit tool
Section titled “Edit tool”The edit tool lets the agent modify files:
tools: edit: trueCache memory
Section titled “Cache memory”Enable persistent memory across runs:
tools: cache-memory: allowed-extensions: [.md, .json, .txt]This is useful for long-running review, triage, or maintenance agents.
Azure DevOps tool
Section titled “Azure DevOps tool”Enable the built-in Azure DevOps MCP integration:
tools: azure-devops: toolsets: [core, repos, wit] allowed: - core_list_projects - repo_list_repos_by_project - wit_get_work_itemIf the agent needs Azure DevOps API access, also configure permissions: appropriately.
Add runtimes
Section titled “Add runtimes”Use runtimes: when the agent needs a language toolchain installed before it runs.
runtimes: python: version: "3.12" node: version: "22.x" dotnet: version: "8.0.x" lean: trueYou can enable just the runtimes you need:
runtimes: python: trueCommon uses:
- python for scripts, data processing, or package-based automation
- node for JavaScript or TypeScript workflows
- dotnet for .NET builds and tooling
- lean for theorem proving and formal verification
Configure safe outputs
Section titled “Configure safe outputs”Safe outputs let the agent propose approved write actions instead of acting directly.
safe-outputs: create-pull-request: target-branch: main reviewers: - user@example.com create-work-item: work-item-type: Task tags: - automated - backlogUse safe outputs when you want the agent to do things like:
- create a pull request
- create or update work items
- comment on a PR or work item
- upload artifacts or attachments
If you configure write-capable safe outputs, also configure permissions.write.
Add repositories with repos:
Section titled “Add repositories with repos:”Use repos: when the agent needs access to repositories beyond the triggering repo.
Shorthand form
Section titled “Shorthand form”repos: - my-org/tools - docs=my-org/product-docsThis is the fastest way to add repositories.
Object form
Section titled “Object form”Use the object form when you need full control:
repos: - name: my-org/tools alias: tools ref: refs/heads/main - name: my-org/pipeline-templates alias: templates ref: refs/heads/release checkout: falseUse checkout: false for a repository that should be declared as a resource but not cloned into the workspace.
Set the workspace
Section titled “Set the workspace”The workspace: field controls which checked-out directory the agent runs in.
workspace: rootCommon values:
root— run from the pipeline working directory rootrepoorself— run from the triggering repository- a repo alias — run from a specific repository declared in
repos:
Example:
repos: - tools=my-org/tools - docs=my-org/product-docsworkspace: docsThat makes the agent run inside the docs repository.
Add triggers
Section titled “Add triggers”Configure triggers under on:.
on: push: branches: include: [main]Pull request
Section titled “Pull request”on: pull_request: branches: include: [main]Schedule
Section titled “Schedule”on: schedule: daily around 14:00You can combine them:
on: push: branches: include: [main] pull_request: branches: include: [main] schedule: weekly on monday around 09:00Put it together
Section titled “Put it together”Here is a practical example:
---name: "dependency-maintainer"description: "Updates dependencies and proposes safe changes"workspace: reporepos: - infra=my-org/infra-scriptson: pull_request: branches: include: [main] schedule: weekly on monday around 09:00tools: bash: ["git", "python", "pip", "npm", "cargo"] edit: true cache-memory: true azure-devops: trueruntimes: python: version: "3.12" node: version: "22.x"safe-outputs: create-pull-request: target-branch: main draft: truepermissions: read: my-read-arm-connection write: my-write-arm-connection---
## Dependency maintainer
Review dependency updates, make safe changes, run the relevant checks, andcreate a pull request with a concise summary.Next steps
Section titled “Next steps”- Create the Markdown file.
- Add only the tools and runtimes your agent needs.
- Configure
repos:andworkspace:if the agent spans multiple repositories. - Add
safe-outputs:for any write actions. - Add
on:triggers so the pipeline runs when you want.