Update instructions to use upload-artifact with skip-archive instead of upload-asset

[Copilot]

Summary

Updates workflow instructions and documentation to recommend upload-artifact with skip-archive: true instead of upload-asset for uploading images, charts, and screenshots.

Why

upload-artifact with skip-archive is preferred because it:

• Puts less pressure on the git storage system — no orphaned branches cluttering the repository
• Automatically destroys images once the artifact expires — better resource management with no manual cleanup needed

Changes

Workflow files migrated (frontmatter upload-asset → upload-artifact with skip-archive: true):

• stale-repo-identifier.md
• daily-repo-chronicle.md
• daily-news.md
• org-health-report.md
• daily-multi-device-docs-tester.md
• portfolio-analyst.md
• weekly-editors-health-check.md
• python-data-charts.md

Shared workflow updated:

• shared/python-dataviz.md — removed upload-asset, kept only upload-artifact with skip-archive: true. Updated documentation section to remove the "Approach 2: Upload Asset" alternative.

Custom agent instructions updated:

• .github/aw/charts.md — all three chart workflow templates now use upload-artifact
• .github/aw/github-agentic-workflows.md — marked upload-asset as deprecated, recommended upload-artifact with skip-archive

Test workflows updated:

• test-copilot-playwright-screenshots.md
• test-claude-playwright-screenshots.md
• test-playwright-args.md
• test-all.md

Documentation updated:

• docs/src/content/docs/reference/safe-outputs.md — added deprecation notice with caution block on the upload-asset section

Lock files recompiled: All affected .lock.yml files regenerated (upload_assets job removed from compiled workflows).

Validation

• ✅ make build — successful
• ✅ make recompile — 187/187 workflows compiled successfully
• ✅ make fmt — formatting passes
• ✅ make lint — linting passes
• ✅ Code review — no issues found

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

This PR updates workflow templates, documentation, and compiled workflow lockfiles to recommend and standardize using upload-artifact with skip-archive: true in place of upload-asset for uploading images/charts/screenshots.

Changes:

• Migrated multiple workflow frontmatters and instructions from upload-asset to upload-artifact with skip-archive: true.
• Updated shared/workflow documentation to deprecate upload-asset and document the preferred artifact-based approach.
• Regenerated affected .lock.yml compiled workflows to remove the upload_assets job and associated contents: write permissions.

Show a summary per file

File	Description
pkg/workflow/data/action_pins.json	Reorders/adds pinned container image entry used by workflows.
pkg/cli/workflows/test-playwright-args.md	Switches safe-outputs config/instructions to upload-artifact.
pkg/cli/workflows/test-copilot-playwright-screenshots.md	Switches safe-outputs config/instructions to upload-artifact.
pkg/cli/workflows/test-claude-playwright-screenshots.md	Switches safe-outputs config/instructions to upload-artifact.
pkg/cli/workflows/test-all.md	Updates instructional text to reference upload_artifact tool.
docs/src/content/docs/reference/safe-outputs.md	Adds deprecation guidance for upload-asset and preference for upload-artifact.
.github/workflows/weekly-issue-summary.lock.yml	Removes upload_asset tool/job and related permissions/env in compiled workflow.
.github/workflows/weekly-editors-health-check.md	Migrates safe-outputs config/instructions to upload-artifact.
.github/workflows/stale-repo-identifier.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/stale-repo-identifier.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/shared/python-dataviz.md	Removes upload-asset approach and updates guidance to artifact-based uploads.
.github/workflows/python-data-charts.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/python-data-charts.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/portfolio-analyst.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/org-health-report.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/org-health-report.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/github-mcp-structural-analysis.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/daily-repo-chronicle.md	Migrates safe-outputs config/instructions to upload-artifact.
.github/workflows/daily-repo-chronicle.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/daily-news.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/daily-news.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/daily-multi-device-docs-tester.md	Migrates safe-outputs config to upload-artifact.
.github/workflows/daily-issues-report.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/daily-integrity-analysis.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/daily-code-metrics.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/copilot-token-audit.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/copilot-session-insights.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Removes upload_assets job and upload_asset config in compiled workflow.
.github/aw/github-agentic-workflows.md	Marks upload-asset as deprecated and recommends upload-artifact with skip-archive.
.github/aw/charts.md	Updates chart workflow templates to use upload-artifact.
.github/aw/actions-lock.json	Reorders/adds pinned container image entry for agentic workflow tooling.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 34/34 changed files
• Comments generated: 12

[Copilot]

safe-outputs.upload-artifact is configured without allowed-paths. With the current upload_artifact handler, an empty allowed-paths list means “all staging files allowed”, and the handler will auto-copy arbitrary absolute/workspace paths into staging before upload. Add a restrictive allowed-paths list (e.g., image-only globs like **/*.png, **/*.jpg, **/*.svg) to prevent accidental/abusive exfiltration of non-image files.

Suggested change

	skip-archive: true
	skip-archive: true
	allowed-paths:
	- "**/*.png"
	- "**/*.jpg"
	- "**/*.svg"

[Copilot]

safe-outputs.upload-artifact is missing allowed-paths. Without it, upload_artifact will allow uploading any file that can be auto-copied into the staging directory. Add allowed-paths to constrain uploads to the intended outputs (e.g., **/*.png, **/*.jpg, **/*.svg for charts/screenshots).

Suggested change

	skip-archive: true
	skip-archive: true
	allowed-paths:
	- "**/*.png"
	- "**/*.jpg"
	- "**/*.jpeg"
	- "**/*.svg"

[Copilot]

safe-outputs.upload-artifact is configured without allowed-paths, which means the upload_artifact handler will permit uploading any staged file (including files auto-copied from arbitrary paths). Add an allowed-paths allowlist appropriate for this workflow (e.g., image-only globs for report screenshots/charts).

Suggested change

	skip-archive: true
	skip-archive: true
	allowed-paths:
	- reports/**/*.png
	- reports/**/*.jpg
	- reports/**/*.jpeg
	- reports/**/*.svg
	- reports/**/*.pdf

[Copilot]

The instructions say to “Upload both charts” while skip-archive: true is enabled. The upload_artifact handler enforces that skip-archive uploads select exactly one file per tool call, so uploading both charts in a single request (e.g., via filters) will fail. Clarify that each chart must be uploaded in a separate upload_artifact call (or disable skip-archive).

Suggested change

	1. Upload both charts using the `upload_artifact` tool
	2. Collect the returned URLs for embedding in the discussion
	1. Upload `/tmp/gh-aw/python/charts/issues_prs_trends.png` using a single `upload_artifact` tool call
	2. Upload `/tmp/gh-aw/python/charts/commit_trends.png` using a separate `upload_artifact` tool call
	3. Collect the two returned URLs for embedding in the discussion

[Copilot]

safe-outputs.upload-artifact is missing allowed-paths. Since the handler can auto-copy arbitrary paths into staging, leaving this empty makes it possible to upload unintended files. Add an explicit allowed-paths allowlist appropriate for the docs test artifacts (e.g., **/*.png, **/*.jpg).

Suggested change

	skip-archive: true
	skip-archive: true
	allowed-paths:
	- "**/*.png"
	- "**/*.jpg"
	- "**/*.jpeg"

[Copilot]

safe-outputs.upload-artifact is configured without allowed-paths. Since the handler auto-copies files into staging, an empty allowlist can permit uploading unintended files. Add allowed-paths (e.g., **/*.png) to constrain uploads to screenshots.

[Copilot]

safe-outputs.upload-artifact is configured without allowed-paths. Because the handler auto-copies arbitrary absolute/workspace paths into staging, leaving allowed-paths empty effectively allows uploading any accessible file. Add a restrictive allowlist (e.g., **/*.png, **/*.jpg, **/*.svg) so only generated charts can be uploaded.

Suggested change

	retention-days: 30
	retention-days: 30
	allowed-paths:
	- "**/*.png"
	- "**/*.jpg"
	- "**/*.svg"

[Copilot]

safe-outputs.upload-artifact is set up without allowed-paths. With an empty allowlist, the upload_artifact handler will allow uploading any staged/auto-copied file. Add allowed-paths restricting uploads to the expected file types for this workflow (e.g., screenshots).

Suggested change

	skip-archive: true
	skip-archive: true
	allowed-paths:
	- "**/*.md"

[Copilot]

safe-outputs.upload-artifact is enabled without allowed-paths. The upload_artifact handler treats an empty list as “all staging files allowed” and will auto-copy arbitrary paths into staging before upload. Add allowed-paths to limit uploads to the expected screenshot formats (e.g., **/*.png).

Suggested change

	upload-artifact:
	upload-artifact:
	allowed-paths:
	- "**/*.png"

[Copilot]

safe-outputs.upload-artifact is configured without allowed-paths. With no allowlist, upload_artifact can upload any staged/auto-copied file. Add allowed-paths (e.g., **/*.png) to ensure only screenshots can be uploaded.

[Copilot]

@copilot merge main and recompile

Done — merged main and recompiled all 187 workflows successfully in 635ba8a. Resolved conflicts in stale-repo-identifier.md (kept the more detailed upload-artifact config from main without upload-asset) and all .lock.yml files were regenerated.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha to pkg/workflow/data/action_pins.json..." (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)