feat: update upload-asset to use GitHub Actions artifact API with temporary IDs

[Copilot]

Summary

Updates the upload-asset safe output to use the GitHub Actions Twirp artifact API (archive:false, version 7) instead of pushing to an orphaned git branch. The handler now returns a temporary asset ID that is resolved to the real artifact URL before issues/comments are created.

What changed

New flow

1. Agent calls upload_asset('/tmp/chart.png') → receives temporary ID, e.g. aw_XYZ123
2. Agent uses the ID in markdown: ![chart](aw_XYZ123)
3. upload_assets job uploads the file using the GitHub Actions Twirp API (archive:false) and outputs asset_url_map: {"aw_XYZ123": "https://github.com/owner/repo/actions/runs/123/artifacts/456"}
4. safe_outputs job (which now depends on upload_assets) replaces (aw_XYZ123) in body text with the real artifact URL before creating issues/comments

Key changes

• safe_outputs_handlers.cjs – returns temporary ID instead of precomputed URL; removes GH_AW_ASSETS_BRANCH dependency
• upload_assets.cjs – rewritten to use GitHub Actions Twirp API (CreateArtifact / FinalizeArtifact) instead of git push; outputs asset_url_map
• temporary_id.cjs – new loadAssetUrlMap() and replaceAssetIdReferences() for URL-position replacement of (aw_XYZ) patterns
• create_issue.cjs, add_comment.cjs, create_discussion.cjs – call replaceAssetIdReferences on body text before publishing
• compiler_safe_outputs_job.go – safe_outputs now depends on upload_assets; receives GH_AW_ASSET_URL_MAP; condition handles skipped upload_assets (success || skipped)
• publish_assets.go – removes git checkout/push steps; permissions changed from contents: write to actions: write; UploadAssetsConfig struct removes BranchName field
• All GH_AW_ASSETS_BRANCH references removed from mcp_environment.go, mcp_setup_generator.go, codex_engine.go, compiler_main_job.go
• Updated tool description and prompt to explain temporary ID usage

Validation

• All 175 workflows recompiled successfully
• All Go tests pass (pkg/workflow/...)
• All JS tests pass (5364/5364, excluding 1 pre-existing network-blocked live API test)
• CodeQL security scan: no alerts

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done. Merged main (including the MCP gateway v0.1.18 bump and ecosystem domain fixes) into this branch, resolved conflicts (keeping our temporary ID approach), rebuilt the binary, and recompiled all 175 workflows. Golden test files updated accordingly. Commit: 8c49f16.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw LgUTc3LQbtXC (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build2203116627/b295/embedcfg -pack (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ithub/workflows (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/gh-aw-test-runs/20260318-231316-15257/test-1935706277 rev-parse /opt/hostedtoolcache/node/24.14.0/x64/bin/node @{u} cfg 64/pkg/tool/linu--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md 64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/node/24.14.0/x64/bin/node th .prettierignogit cfg odules/npm/node_--show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --all-progress-implied --revs /node_modules/.bin/git --thin --delta-base-offrev-parse -q git fetc�� origin -- k/gh-aw/node_modules/.bin/git . lure test commitrev-parse k/_temp/ghcca-no--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/-p stmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git tions/setup/js/node_modules/.bin/git -M main /home/REDACTED/.lo--count git push�� -u origin git main..emoji-suffgit --stdout de/node/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha .js' --ignore-path .prettierignore --log-level=error 641530/b176/vet.cfg x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -f 64/pkg/tool/linu-importcfg /usr/bin/git ../pkg/workflow/git rev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git se 641530/b014/vet.rev-parse 64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolc-extld=gcc /usr/bin/git BBRVgf-GF -buildtags k/gh-aw/node_mod--show-toplevel git rev-�� --show-toplevel ortcfg /usr/bin/git p/smoke_test_225git /tmp/go-build430rev-parse ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha test/race-image:v1.0.0 -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git conf�� user.name Test User /usr/bin/git k/gh-aw/gh-aw/.ggit cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript1632900740/001/test-frontmatter-with-nes--detach x_amd64/vet /usr/lib/git-core/git js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git e formatted" /tmp/go-build430rev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linurev-parse /usr/bin/git -unreachable=falgit /tmp/go-build430rev-parse .cfg git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha h ../../../.prettierignore -- modules/@npmcli/run-script/lib/node-gyp-bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha h ../../../.pret.prettierignore (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript1632900740/001/test-complex-frontmatter-with-tools.md x_amd64/vet /usr/bin/git js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha etch-fail..shallow-fetch-fail Initial commit cal/bin/git -m =main n-dir/git git comm�� -m (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-build4225492927/b435/stringutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git rev-�� --git-dir -extld=gcc /usr/bin/git --noprofile cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha etch-fail..shallow-fetch-fail Initial commit k/_temp/ghcca-node/node/bin/git -m =main tnet/tools/git git comm�� -m (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 5492927/b418/logger.test git 5492927/b418/importcfg.link --local credential.usernrev-parse k/_temp/ghcca-no--show-toplevel sAFIA48ngLY-h/fQkmIpjEVxgPIJbBLrkR/yyjxJESSHc3089fRgrZr/tga2eoUsAFIA48ngLY-h -c runs/20260318-231316-15257/test-1286998141/.github/workflows git 5492927/b418/_pkg_.a l copilot/update-urev-parse me: String!) { --show-toplevel bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha main..multiline-branch tes" and 'apostrophes' and $variables and backticks bin/git REDACTED main:main cal/bin/git git log -1 --format=%B /git --show-toplevel git tions/setup/js/n-m git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility pi^{commit} (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 1316-15257/test-1935706277 -tests 5492927/b421/importcfg.link --local credential.helperev-parse cal/bin/bash NVNgnGPLEQds7/eMdwFO3cBOLj36ZOwlHC/wPHmRHH07drGotDxh6_4/9rUbv3kNremote.origin.url -c ry=1 git ache/node/24.14.0/x64/bin/node copilot/update-ugit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha conflict.txt (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore -tests (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -m (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 -f ules/.bin/sh l owner=github -f ache/go/1.25.0/x64/pkg/tool/linurev-parse (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 om/stretchr/testify@v1.11.1/requmain x86_64/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 config x_amd64/compile remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 rev-parse x_amd64/compile l (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg ache/go/1.25.0/x64/pkg/tool/linu-nilfunc remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 config de_modules/.bin/sh remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --noprofile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js d114e85a^ d114e85a git comm�� -m Initial commit git --name-status 0ed9857ac335fc9dls-remote de_modules/.bin/origin /usr/lib/git-correfs/heads/no-body-branch (http block)
  • Triggering command: /opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js git /home/REDACTED/wor/tmp/go-handler-test-qVl1w9/text-output.go git ance�� -u (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha files..." 641530/b024/vet.cfg At,event,headBranch,headSha,displayTitle -f owner=github -f ache/go/1.25.0/x64/pkg/tool/linurev-parse 0/x6�� 2599681609/.github/workflows config ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha /ref/tags/v8 /opt/hostedtoolcache/go/1.25.0/x--json /usr/bin/infocmp vaScript16329007git -buildtags ache/go/1.25.0/x--show-toplevel infocmp -1 xterm-color ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git "prettier" --wrigit -tests /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha k/gh-aw/gh-aw/.github/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ithub/workflows (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ithub/workflows (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha y-test.md 641530/b021/vet.cfg de_modules/.bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git g/repoutil/repougit g/repoutil/repourev-parse /snap/bin/sh git rev-�� --show-toplevel sh /usr/bin/git "prettier" --wrigit git .cfg git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build4225492927/b399/cli.test /tmp/go-build4225492927/b399/cli.test -test.testlogfile=/tmp/go-build4225492927/b399/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ACCEPT (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git comm�� -m Initial commit de_modules/.bin/git user.email test@test.com /git git conf�� user.email test@test.com git -u origin run-script/lib/nagent-change.txt git (dns block)
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git e/git init�� 0/x64/bin/git git tions/setup/js/node_modules/.bin/git user.email test@example.comcheckout /git git bran�� -M main k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/git /tmp/bare-incremgit gin/feature-branadd cal/bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates the upload_asset safe-outputs flow to return a temporary asset ID and later resolve it to a GitHub Actions artifact URL before publishing issues/comments/discussions.

Changes:

• Update user-facing tool/prompt descriptions to document temporary asset IDs (aw_...) and markdown usage.
• Pass an asset_url_map from upload_assets to safe_outputs and perform asset-ID → URL substitution before publishing content.
• Remove GH_AW_ASSETS_BRANCH from generated environments and recompile/refresh workflow fixtures and lockfiles accordingly.

Reviewed changes

Copilot reviewed 201 out of 201 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/unified_prompt_step.go	Updates prompt guidance for upload_asset to describe temporary asset IDs and markdown usage.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden fixture to remove GH_AW_ASSETS_BRANCH passthrough.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-test-tools.golden	Updates golden fixture to remove GH_AW_ASSETS_BRANCH passthrough.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates golden fixture to remove GH_AW_ASSETS_BRANCH passthrough.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/claude-with-network.golden	Updates golden fixture to remove GH_AW_ASSETS_BRANCH passthrough.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden fixture to remove GH_AW_ASSETS_BRANCH passthrough.
pkg/workflow/safe_outputs_env.go	Removes branch env var; keeps max-size/ext allowlist env vars for handler validation.
pkg/workflow/safe_output_helpers_test.go	Updates env-var expectations to drop GH_AW_ASSETS_BRANCH.
pkg/workflow/publish_assets_test.go	Updates tests for config parsing/output expectations and asserts asset_url_map output wiring.
pkg/workflow/mcp_setup_generator.go	Removes GH_AW_ASSETS_BRANCH from MCP gateway env passthrough list.
pkg/workflow/mcp_environment.go	Stops exporting GH_AW_ASSETS_BRANCH into MCP tool environment.
pkg/workflow/js/safe_outputs_tools.json	Updates upload_asset tool description to temporary-ID + artifact-based behavior.
pkg/workflow/compiler_safe_outputs_job.go	Adds upload_assets dependency/condition and passes GH_AW_ASSET_URL_MAP into safe_outputs.
pkg/workflow/compiler_safe_outputs_config.go	Stops emitting branch config for upload-assets handler.
pkg/workflow/compiler_main_job.go	Removes GH_AW_ASSETS_BRANCH from main job env defaults.
pkg/workflow/codex_engine.go	Removes GH_AW_ASSETS_BRANCH from the safe-outputs env allowlist/policy.
actions/setup/js/temporary_id.cjs	Adds asset URL map loading and (aw_...) URL-position replacement helper(s).
actions/setup/js/safe_outputs_tools.json	Updates upload_asset tool description to temporary-ID + artifact-based behavior.
actions/setup/js/create_issue.cjs	Resolves asset IDs to artifact URLs in issue bodies prior to publishing.
actions/setup/js/create_discussion.cjs	Resolves asset IDs to artifact URLs in discussion bodies prior to publishing.
actions/setup/js/add_comment.cjs	Resolves asset IDs to artifact URLs in comment bodies prior to publishing.
.github/workflows/workflow-normalizer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/workflow-health-manager.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/workflow-generator.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/video-analyzer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/update-astro.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/ubuntu-image-analyzer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/typist.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/tidy.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/test-workflow.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.
.github/workflows/test-project-url-default.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/test-dispatcher.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/test-create-pr-error-handling.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/terminal-stylist.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/super-linter.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/step-name-alignment.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/static-analysis-report.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/smoke-test-tools.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/smoke-project.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/sergo.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/semantic-function-refactor.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/security-review.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/security-compliance.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/scout.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/schema-consistency-checker.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/safe-output-health.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/research.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/repo-tree-map.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/release.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/refiner.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/q.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/prompt-clustering-analysis.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/pr-triage-agent.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/plan.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/pdf-summary.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/metrics-collector.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.
.github/workflows/mergefest.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/lockfile-stats.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/layout-spec-maintainer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/jsweep.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/issue-monster.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/instructions-janitor.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/hourly-ci-cleaner.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/grumpy-reviewer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/gpclean.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/go-pattern-detector.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/go-fan.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/github-mcp-tools-report.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/firewall.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.
.github/workflows/firewall-escape.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/example-workflow-analyzer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/example-permissions-warning.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.
.github/workflows/draft-pr-cleanup.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/discussion-task-miner.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/dev.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/dev-hawk.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/delight.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/dead-code-remover.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-team-status.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-security-red-team.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-secrets-analysis.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-safe-output-optimizer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-function-namer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-file-diet.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-compiler-quality.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/daily-choice-test.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/craft.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/copilot-agent-analysis.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/contribution-check.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/commit-changes-analyzer.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.
.github/workflows/code-simplifier.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/cloclo.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/cli-version-checker.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/ci-doctor.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/ci-coach.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/brave.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/bot-detection.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/blog-auditor.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/artifacts-summary.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/archie.lock.yml	Removes GH_AW_ASSETS_BRANCH from env and MCP gateway command passthrough.
.github/workflows/ace-editor.lock.yml	Removes GH_AW_ASSETS_BRANCH from MCP gateway command passthrough.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.