Skip to content

feat: migrate 50% of agentic workflows from upload-asset to upload-artifact#25342

Draft
Copilot wants to merge 6 commits intomainfrom
copilot/update-agentic-workflows-upload-artifact
Draft

feat: migrate 50% of agentic workflows from upload-asset to upload-artifact#25342
Copilot wants to merge 6 commits intomainfrom
copilot/update-agentic-workflows-upload-artifact

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 8, 2026
edited
Loading

Summary

Migrates 9 of 17 agentic workflows (~53%) that use upload-asset safe output to use upload-artifact safe output instead. Refactors the upload-artifact configuration so that retention-days and skip-archive are fixed frontmatter fields rather than agent-settable tool call parameters.

Changes

upload-artifact configuration refactoring (all workflows)

retention-days and skip-archive are now fixed workflow configuration — the agent cannot override them:

upload-artifact:
  retention-days: 30        # templated int — fixed, agent cannot override
  skip-archive: true        # templated bool — fixed, agent cannot override
  • default-retention-days and max-retention-days fields removed
  • allow.skip-archive and defaults.skip-archive removed
  • retention_days and skip_archive removed from the upload_artifact tool input schema (both safe_outputs_tools.json copies) — agents can no longer pass these values
  • upload_artifact.cjs handler now reads fixed values from config; skip-archive enforces a single-file constraint but does not alter the upload API call
  • main_workflow_schema.json updated with new retention-days (templatable int) and skip-archive (templatable bool) properties
  • Go types (UploadArtifactConfig) and compiler updated accordingly

shared/safe-output-upload-artifact.md

  • Updated to new frontmatter: retention-days: 30, skip-archive: true, max-uploads: 3
  • Staging path uses /tmp/gh-aw/safeoutputs/upload-artifacts/

upload_artifact.cjs (core handler)

  • Staging directory base: /tmp/gh-aw/
  • Temporary artifact ID format: aw_XXXXXXXX (8 alphanumeric), matching other safe outputs such as create_issue
  • Resolver file path: /tmp/gh-aw/artifact-resolver.json

safe_outputs_tools.json (both copies)

  • Removed retention_days and skip_archive from tool input schema
  • Updated description to note retention and archive settings are fixed by workflow configuration

Migrated Workflows (9/17 ≈ 50%)

Group 1 — Frontmatter + minimal prompt update:

  • audit-workflows.mdretention-days: 30
  • technical-doc-writer.mdretention-days: 30
  • poem-bot.mdretention-days: 30
  • deep-report.mdretention-days: 30

Group 2 — Frontmatter + chart artifact ID substitution:

  • daily-firewall-report.mdretention-days: 30, skip-archive: true; chart upload instructions updated
  • daily-performance-summary.mdretention-days: 30, skip-archive: true; chart upload instructions updated
  • api-consumption-report.mdretention-days: 30, skip-archive: true, max-uploads: 5; all 5 chart artifact references are hyperlinks to the workflow run artifacts page

Group 3 — Frontmatter + screenshot artifact ID substitution:

  • docs-noob-tester.mdretention-days: 30, skip-archive: true
  • unbloat-docs.mdretention-days: 30, skip-archive: true

Also updated

  • smoke-copilot.md (pre-existing workflow) — migrated from old default-retention-days/max-retention-days/allow.skip-archive to new retention-days: 1, skip-archive: true

Not Migrated (8/17 workflows)

  • portfolio-analyst.md, python-data-charts.md, daily-news.md, daily-repo-chronicle.md — heavily rely on inline chart image embedding (requires permanent URLs)
  • weekly-editors-health-check.md — embeds screenshots in MDX documentation files (requires permanent URLs)
  • org-health-report.md, stale-repo-identifier.md — import shared/python-dataviz.md which still provides upload_asset, causing conflicting tool availability

How the Prompt Changes Work

For chart-embedding workflows, the pattern changes from:

# Before
1. Upload charts using the `upload asset` tool
2. Collect the returned URLs for embedding
![Chart Name](URL_FROM_UPLOAD_ASSET)

To:

# After
1. Stage charts to /tmp/gh-aw/safeoutputs/upload-artifacts/
2. Call the `upload_artifact` safe-output tool (retention and skip-archive are fixed by config)
3. Record the returned `aw_*` IDs
📎 **[Chart Name](https://github.com/{repo}/actions/runs/{run_id})** — artifact `aw_XXXXXXXX`

The aw_* temporary IDs are consistent with other safe outputs, and chart names link directly to the workflow run artifacts page for download.

Copilot AI and others added 2 commits April 8, 2026 16:36
@pelikhan
feat: migrate 9 workflows from upload-asset to upload-artifact with 3…
f89cefc 
…0-day retention

- Update shared/safe-output-upload-artifact.md default retention to 30 days
- Migrate audit-workflows.md, org-health-report.md, technical-doc-writer.md,
  poem-bot.md, deep-report.md, stale-repo-identifier.md (frontmatter + prompts)
- Migrate daily-firewall-report.md, daily-performance-summary.md,
  api-consumption-report.md (frontmatter + significant prompt updates for artifact
  ID substitution in discussion content)
- Update chart-embedding prompts to use upload_artifact tool with tmp_artifact_*
  IDs and workflow run artifact links
- Recompile all 182 workflow lock files"

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d11556eb-0f4b-46a1-968b-0dc573522574

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: swap org-health-report and stale-repo-identifier for docs-noob-t…
13f0943 
…ester and unbloat-docs

org-health-report and stale-repo-identifier both import shared/python-dataviz.md
which still provides upload_asset, causing both tools to be present simultaneously.
Replaced with docs-noob-tester and unbloat-docs which have clean migrations.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d11556eb-0f4b-46a1-968b-0dc573522574

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan April 8, 2026 16:46
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 8, 2026

@copilot

  • do not use RUNNER_TEMP. Use /tmp/gh-aw/ as a base folder
  • update the format of the temporary id created in upload-artifact to match the temporary id in other safe outputs

@pelikhan
fix: use /tmp/gh-aw/ base path and aw_* ID format for upload-artifact
dd17133 
Per feedback:
- Replace RUNNER_TEMP with /tmp/gh-aw/ as base folder in upload_artifact.cjs
  staging dir, resolver file, tool descriptions, shared workflow, and all prompts
- Change upload_artifact temporary ID format from tmp_artifact_XXXXXXXXXXXXXXXXXXXXXXXXXX
  to aw_XXXXXXXX (matching the format used by other safe outputs)
- Update test expectations to match new aw_[A-Za-z0-9]{8} pattern
- Update safe_outputs_tools.json (both copies) with new paths and ID format

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/cdabdbbc-34fe-4cf8-a5e9-b5d6f8d762d8

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 8, 2026
edited
Loading

@copilot

  • do not use RUNNER_TEMP. Use /tmp/gh-aw/ as a base folder...

Fixed in dd17133:

  1. Staging path: Changed from $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ to /tmp/gh-aw/safeoutputs/upload-artifacts/ in upload_artifact.cjs, both safe_outputs_tools.json copies, shared/safe-output-upload-artifact.md, and all migrated workflow prompts.

  2. Temporary ID format: Changed from tmp_artifact_XXXXXXXXXXXXXXXXXXXXXXXXXX (26 uppercase alphanumeric) to aw_XXXXXXXX (8 alphanumeric), matching the format used by create_issue and other safe outputs. Updated upload_artifact.cjs, test expectations in upload_artifact.test.cjs, and all prompt references.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --allowed-originshow localhost;localhHEAD:.github/workflows/ai-moderator.lock.yml git conf�� get --local rgo/bin/bash credential.userngit (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --allowed-origin-C localhost;localh/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git conf�� get gentic-workflows-upload-artifact 1/x64/bin/bash credential.usern/usr/bin/gh (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha artifacts tions/setup/sh/append_agent_step_summary.sh $name) { hasDiscussionsEnabled } } tions/setup/sh/cgit tions/setup/sh/cfor-each-ref tions/setup/sh/c--format=%(refname) tions/setup/sh/c--merged=13f09438f1e2e5c5c0b9183532253e372036a875 tion�� js/**/*.json&#39; --ignore-path ../../../.prettierignore tions/setup/sh/configure_gh_for_ghe.sh tions/setup/sh/configure_gh_for_ghe_test.sh tions/setup/sh/cinfocmp tions/setup/sh/c-1 tions/setup/sh/cxterm-color tions/setup/sh/convert_gateway_config_copilot.sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha get --local nfig/composer/vendor/bin/bash credential.usern/usr/bin/gh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@github-actions github-actions bot mentioned this pull request Apr 8, 2026
Closed
pelikhan
pelikhan reviewed Apr 8, 2026
View reviewed changes
.github/workflows/api-consumption-report.md Outdated
### 🔗 GitHub API Calls Trend (90 days)

![GitHub API Calls Trend]({api_calls_trend_url})
📎 **Chart: GitHub API Calls Trend** — artifact `{api_calls_trend_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot link to artifact download url

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 79e559c. All 5 chart references are now hyperlinks to the workflow run artifacts page, e.g.:

📎 **[Chart: GitHub API Calls Trend](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})** — artifact `{api_calls_trend_aw_id}`

.github/workflows/api-consumption-report.md Outdated
Comment on lines +19 to +20
default-retention-days: 30
max-retention-days: 30
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot specify retention days to 30

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 79e559c. Added max-uploads: 5 (to support all 5 charts) and kept default-retention-days: 30 and max-retention-days: 30 explicitly. Also added skip_archive: true to the tool call instruction in the prompt.

.github/workflows/api-consumption-report.md
timeout: 300
safe-outputs:
upload-asset:
upload-artifact:
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot skip archive true

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 79e559c — added allow.skip-archive: true to the upload-artifact config.

@pelikhan
fix: api-consumption-report: add skip-archive, max-uploads:5, link ar…
79e559c 
…tifacts

- Add allow.skip-archive: true to upload-artifact config (allow single-file
  uploads without zip archiving)
- Add max-uploads: 5 to support uploading all 5 charts (was defaulting to 1)
- Update retention days to 30 (kept explicit default-retention-days: 30 and
  max-retention-days: 30)
- Add skip_archive: true to the upload_artifact tool call instruction in prompt
- Make all 5 chart artifact references hyperlinks to the workflow run artifacts
  page so readers can download the charts directly

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f899c209-e6db-4d6a-90d9-9f8034aaf93d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 8, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw him.cjs pdate_context_he--noprofile arkdown_code_region_balancer.test.cjs ead_�� it_helpers.test.cjs cp_scripts_config_loader.cjs ide_comment.cjs dd_labels.cjs pdate_handler_fa--version issing_issue_helpers.test.cjs anitize_workflow_name.test.cjs (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw him.cjs pdate_context_he--noprofile arkdown_code_region_balancer.tes/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/api-consumption-report.lock.yml ead_�� it_helpers.test.cjs cp_scripts_config_loader.cjs ide_comment.cjs dd_labels.cjs pdate_handler_fa--version issing_issue_helpers.test.cjs anitize_workflow_name.test.cjs (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha n_reference.go n_reference_test-j n_resolver.go n_resolver_test.git n_sha_checker.go-C n_sha_checker_in/home/REDACTED/work/gh-aw/gh-aw/.github/workflows n_sha_checker_terev-parse n_sh�� ation_checkout_test.go ation_github_token_test.go n-dir/bash (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan April 8, 2026 17:37
@github-actions github-actions bot mentioned this pull request Apr 8, 2026
Open
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 8, 2026

@copilot refactor upload-artifact to move the configurations as field in the front matter, not a tool call.

upload-artifact:
skip-archive: templated boolean
retention-days: templated int

do not allow these values to be set by the agent. They are fixed.

Remove max-retention-days, default-retention-days fields.

@github-actions github-actions bot mentioned this pull request Apr 8, 2026
Open
Copilot AI and others added 2 commits April 8, 2026 18:56
@pelikhan
refactor: move upload-artifact skip-archive and retention-days to fro…
e462f5e 
…ntmatter config

The agent can no longer set `retention_days` or `skip_archive` in tool calls —
these are now fixed workflow configuration. Changes:

- `UploadArtifactConfig`: replace `DefaultRetentionDays`/`MaxRetentionDays`/
  `ArtifactAllowConfig`/`ArtifactDefaultsConfig.SkipArchive` with two new
  templatable fields: `RetentionDays *string` and `SkipArchive *string`
- `parseUploadArtifactConfig`: parse new fields using preprocessIntFieldAsString
  and preprocessBoolFieldAsString (supports GH Actions expressions)
- `compiler_safe_outputs_config.go`: serialize new fields via AddTemplatableInt /
  AddTemplatableBool instead of old allow-skip-archive / default-retention-days
- `upload_artifact.cjs`: use fixed `retention-days` and `skip-archive` from
  config; remove agent-controlled `retention_days` / `skip_archive` message
  fields; remove `clampRetention` helper
- Both `safe_outputs_tools.json`: remove `retention_days` and `skip_archive`
  from the tool input schema (agent cannot set these)
- `main_workflow_schema.json`: add `retention-days` + `skip-archive` (templatable)
  and remove `default-retention-days`, `max-retention-days`, `allow`, and
  `defaults.skip-archive`
- `shared/safe-output-upload-artifact.md`: update defaults
- All 9 migrated workflows + smoke-copilot.md: replace old frontmatter fields
  with new ones; remove `retention_days`/`skip_archive` from tool call instructions
- Update Go and JS test files to cover new API

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c048f9ab-1d7e-49df-8dc0-24c7eec06584

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: remove incorrect compressionLevel option from artifact upload call
016cbca 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c048f9ab-1d7e-49df-8dc0-24c7eec06584

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 8, 2026
edited
Loading

@copilot refactor upload-artifact to move the configurations as field in the front matter, not a tool call.

upload-artifact:...

Done in e462f5e (with 016cbca fixing a review issue). The upload-artifact config now uses:

upload-artifact:
  retention-days: 30        # templated int — fixed, agent cannot override
  skip-archive: true        # templated bool — fixed, agent cannot override
  • retention_days and skip_archive removed from both safe_outputs_tools.json schemas (agent can't set them)
  • upload_artifact.cjs reads fixed values from config["retention-days"] and config["skip-archive"]skip-archive enforces the single-file constraint but doesn't change the upload API call
  • max-retention-days and default-retention-days removed from Go types, JS handler, and JSON schema
  • allow / defaults.skip-archive removed from schema and types
  • All 10 affected workflows (9 migrated + smoke-copilot.md) updated to new frontmatter; all 182 lock files recompiled

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw O-/Rdo43MvVhdoD3-C (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw /home/REDACTED/wor-C /home/REDACTED/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows x_amd64/vet --no�� --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --verify copilot/update-a-ifaceassert $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha copilot/update-a-errorsas (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha rd (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan