Update prompts to use upload-asset instead of upload-artifact for image uploads

[Copilot]

• Identify instruction, shared workflow, and workflow prompt files that currently recommend upload-artifact for image/chart/screenshot uploads
• Confirm upload_asset tool semantics and required input path format
• Update instruction docs to recommend upload-asset (and remove image-upload recommendations for upload-artifact)
• Update shared agentic workflows to configure/use upload-asset for image/chart uploads
• Update agentic workflow prompts to use upload_asset for screenshots/charts/images
• Run required validation (make agent-finish) after edits
• Recompile workflows and verify lockfiles were regenerated
• Run parallel_validation and review findings
• Create/update PR with final summary

[Copilot]

Pull request overview

Updates agentic workflow prompts and generated workflow lockfiles to use upload-asset (safe output upload_asset) for image/chart/screenshot uploads instead of relying on upload-artifact patterns.

Changes:

• Updated multiple workflow instruction markdown files to recommend calling upload_asset with absolute image paths and embedding returned asset URLs.
• Updated multiple compiled workflow lockfiles to configure upload_asset, propagate GH_AW_ASSETS_* env vars, and add an upload_assets publication job.
• Updated shared documentation to reframe upload-artifact as best for run-scoped deliverables vs upload-asset for embeddable images.

Show a summary per file

File	Description
.github/workflows/weekly-issue-summary.lock.yml	Adds upload_asset safe output config + upload_assets job; updates prompts/env to support asset publication.
.github/workflows/weekly-editors-health-check.md	Switches screenshot upload guidance from artifacts to assets and updates safe-outputs config.
.github/workflows/unbloat-docs.md	Updates screenshot upload instructions to use upload_asset with absolute paths and asset URLs.
.github/workflows/shared/trending-charts-simple.md	Updates chart upload section to use upload_asset and embed asset URLs.
.github/workflows/shared/safe-output-upload-artifact.md	Updates guidance to prefer upload_asset for images while retaining artifact embedding info.
.github/workflows/shared/python-dataviz.md	Switches safe-outputs config and instructions to upload_asset for charts/images.
.github/workflows/python-data-charts.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/portfolio-analyst.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/org-health-report.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/docs-noob-tester.md	Updates screenshot upload instructions to call upload_asset directly and report asset URLs.
.github/workflows/docs-noob-tester.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/daily-repo-chronicle.md	Updates chart upload + embedding placeholders from artifact URLs to asset URLs.
.github/workflows/daily-repo-chronicle.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/daily-performance-summary.md	Updates chart upload instructions and embeds to use asset URLs.
.github/workflows/daily-news.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/daily-integrity-analysis.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/daily-firewall-report.md	Updates chart upload instructions and embeds to use asset URLs.
.github/workflows/daily-firewall-report.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/copilot-token-audit.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/copilot-session-insights.lock.yml	Adds upload_asset config + upload_assets publication job and env wiring in compiled workflow.
.github/workflows/audit-workflows.md	Switches chart upload instructions to upload_asset and asset URL embedding.
.github/workflows/api-consumption-report.md	Rewrites chart upload step to call upload_asset with absolute paths and embed asset URLs.
.github/aw/github-agentic-workflows.md	Updates docs to recommend upload-asset for embeddable images and upload-artifact for temporary deliverables.
.github/aw/charts.md	Updates chart workflow examples to configure upload-asset rather than artifact uploads.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (11)

.github/workflows/copilot-session-insights.lock.yml:1455

• contents: write is granted to this job too. Please reduce to contents: read unless it must write to the repo; keep write access limited to the asset-publication job to minimize token scope.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/python-data-charts.lock.yml:1323

• contents: write is granted for this job as well. If it doesn’t directly write to the repo, consider reducing to contents: read and leaving write access only on upload_assets.

    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/org-health-report.lock.yml:1254

• This job’s permissions include contents: write. If it isn’t responsible for publishing assets (git push), consider reverting to contents: read and limiting write access to upload_assets only.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/docs-noob-tester.lock.yml:1203

• contents: write is enabled for this job as well. Consider reducing to contents: read unless this job actually performs repository writes (publishing assets should be the only place that requires write access).

    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/daily-news.lock.yml:1513

• contents: write is enabled here as well. Unless this job needs to push commits (vs. relying on upload_assets), reduce it back to contents: read to adhere to least-privilege.

    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/daily-repo-chronicle.lock.yml:1269

• contents: write is granted to this job. Unless this job performs git pushes/commits, it should keep contents: read and let the separate upload_assets job handle repo writes.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/weekly-issue-summary.lock.yml:1224

• This job also has contents: write enabled. Unless it performs repository writes (git pushes/commits), consider reverting to contents: read and keeping write permission scoped to the upload_assets job only.
  .github/workflows/portfolio-analyst.lock.yml:1349
• contents: write is enabled for this job too. Unless this job performs repository writes itself, keep contents: read and restrict write permissions to the dedicated upload_assets job that publishes the assets branch.

    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/daily-integrity-analysis.lock.yml:1367

• contents: write is also granted to this job. Unless it needs to push commits/branches, prefer contents: read and keep write permission isolated to the asset-publication job.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/daily-firewall-report.lock.yml:1350

• contents: write is granted for this job too. Please reduce to contents: read unless this job itself performs repository writes; keep write access scoped to upload_assets for least privilege.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

.github/workflows/copilot-token-audit.lock.yml:1465

• contents: write is enabled for this job as well. Consider reverting to contents: read unless this job needs to write to the repository; limit write access to the upload_assets job for least privilege.

    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
      contents: write
      discussions: write
      issues: write

• Files reviewed: 34/34 changed files
• Comments generated: 12

[Copilot]

The “Asset Upload” summary bullets still mention a 30-day retention and omit .jpeg, which doesn’t match upload-asset semantics (assets are persisted on an assets branch rather than expiring like artifacts). Please remove/clarify the retention bullet and ensure the allowed extensions list matches the configured allowed-exts (includes .jpeg).

Suggested change

	- Allowed: PNG, JPG, SVG files
	- Retention: 30 days
	- Allowed: PNG, JPG, JPEG, SVG files
	- Persistence: stored as persistent assets (not 30-day artifacts)

[Copilot]

This job’s permissions were changed to contents: write. Unless this job is actually pushing commits/branches, consider reverting to contents: read and limiting contents: write to the upload_assets job that publishes the assets branch, to reduce token scope.

This issue also appears on line 1319 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

contents: write was added here. If this job doesn’t push commits/branches (and publishing is handled in the dedicated upload_assets job), consider keeping contents: read and limiting write access to only the asset-publication job to follow least privilege.

This issue also appears on line 1345 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job’s permissions were broadened to contents: write. If it doesn’t push to the repo directly, prefer contents: read and confine write permissions to the upload_assets job that publishes the assets branch.

This issue also appears on line 1199 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job now has contents: write. If repository writes only happen in upload_assets, consider reverting this job back to contents: read to minimize token scope.

This issue also appears on line 1264 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job now has contents: write. If the repository write is only for publishing assets, consider reverting to contents: read here and limiting write permissions to the upload_assets job.

This issue also appears on line 1345 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job now requests contents: write. If it only creates discussions/issues and does not publish assets itself, revert to contents: read and keep contents: write scoped to the upload_assets job that performs the git push.

This issue also appears on line 1249 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job’s contents permission was elevated to write. If it doesn’t directly push commits/branches, keep contents: read here and scope contents: write to the asset publication job only.

This issue also appears on line 1460 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job now requests contents: write. If the only repository writes are for publishing assets, consider keeping this job at contents: read and restricting contents: write to the upload_assets job.

This issue also appears on line 1509 of the same file.

Suggested change

	contents: write
	contents: read

[Copilot]

This job now requests contents: write. If it only processes safe outputs / posts discussions and doesn’t push commits, consider reverting to contents: read and reserving write permissions for the upload_assets job.

This issue also appears on line 1450 of the same file.

Suggested change

	contents: write
	contents: read

[pelikhan]

@copilot review all comments.

[Copilot]

@copilot review all comments.

Addressed all actionable review feedback in 224ad92.

• Fixed python-dataviz.md asset summary to match upload-asset semantics (.jpeg included, persistent assets wording).
• Reduced broadened contents: write in the reviewed generated lockfiles to contents: read for conclusion/safe_outputs jobs, keeping write scope on upload_assets publication jobs.
• Updated permission computation/tests and recompiled lockfiles accordingly.

No UI changes were made in this update.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw /tmp/go-build4141480078/b001/importcfg -pack /tmp/go-build4141480078/b001/_testmain.go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv d -n 10 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv d-asset^{commit}remote.origin.url (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in 28f9e70.

Merged origin/main into this branch and recompiled workflow lockfiles. Merge conflicts were resolved and committed, and the branch is updated.

Note: full make recompile reports one unrelated existing compile failure (mempalace MCP gateway validation), but the conflicted/affected workflows were successfully recompiled and committed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build1866450780/b063/embedcfg -pack (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)