fix: use RUNNER_TEMP for upload_artifact staging directory path#25882
Merged
fix: use RUNNER_TEMP for upload_artifact staging directory path#25882
Conversation
…n files Update safeoutputs upload-artifacts staging directory references from /tmp/gh-aw/safeoutputs/upload-artifacts/ to $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ in 7 workflow markdown files. Only user-visible instructions/comments are updated; other /tmp/gh-aw/ paths are left unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The upload_artifact handler hardcoded STAGING_DIR to /tmp/gh-aw/safeoutputs/upload-artifacts/ but the safe_outputs job downloads the staging artifact to $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/. This path mismatch caused the handler to always find an empty staging directory. Changes: - upload_artifact.cjs: derive STAGING_DIR from process.env.RUNNER_TEMP - safe_outputs_tools.json: update tool descriptions to reference $RUNNER_TEMP - Workflow .md files: update staging path instructions for agents - Add test verifying RUNNER_TEMP is respected Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0f4f62eb-e7f8-43a3-87f1-1acf94718223 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…dule load time behavior Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0f4f62eb-e7f8-43a3-87f1-1acf94718223 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 12, 2026 01:49
View session
pelikhan
approved these changes
Apr 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a staging-directory mismatch for the upload_artifact safe-output tool by aligning the handler, tool descriptions, and workflow instructions with the ${{ runner.temp }} / RUNNER_TEMP-based path used by the compiled workflows.
Changes:
- Update
upload_artifacthandler to computeSTAGING_DIRfromRUNNER_TEMP(with/tmpfallback). - Update safe-output tool descriptions (both JSON copies) to reference
$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/. - Update multiple workflow prompt docs to instruct staging into
$RUNNER_TEMP/...and extend tests to cover customRUNNER_TEMP+ fallback behavior.
Show a summary per file
| File | Description |
|---|---|
actions/setup/js/upload_artifact.cjs |
Switch staging directory resolution to RUNNER_TEMP to match compiled workflow behavior. |
actions/setup/js/upload_artifact.test.cjs |
Ensure tests unset RUNNER_TEMP by default; add coverage for custom RUNNER_TEMP and fallback. |
actions/setup/js/safe_outputs_tools.json |
Update upload_artifact tool description/schema to reference $RUNNER_TEMP staging path. |
pkg/workflow/js/safe_outputs_tools.json |
Same $RUNNER_TEMP staging path update for the workflow-side tools bundle. |
.github/workflows/shared/safe-output-upload-artifact.md |
Update shared guidance to stage artifacts under $RUNNER_TEMP. |
.github/workflows/unbloat-docs.md |
Update screenshot staging instructions to use $RUNNER_TEMP. |
.github/workflows/docs-noob-tester.md |
Update screenshot staging instructions to use $RUNNER_TEMP. |
.github/workflows/daily-performance-summary.md |
Update chart staging instructions to use $RUNNER_TEMP. |
.github/workflows/daily-firewall-report.md |
Update chart staging instructions to use $RUNNER_TEMP. |
.github/workflows/audit-workflows.md |
Update chart staging instructions to use $RUNNER_TEMP. |
.github/workflows/approach-validator.md |
Update report staging path to use $RUNNER_TEMP. |
.github/workflows/api-consumption-report.md |
Update staging instructions/verification commands to use $RUNNER_TEMP (quoted). |
.github/workflows/smoke-copilot.md |
Update artifact staging instruction snippet to use $RUNNER_TEMP. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 13/13 changed files
- Comments generated: 7
Comment on lines
+41
to
+48
| /** | ||
| * Staging directory where the model places files to be uploaded. | ||
| * Uses RUNNER_TEMP to match the path used by the compiled workflow when | ||
| * downloading the staging artifact in the safe_outputs job. | ||
| * Note: Computed once at module load time. RUNNER_TEMP must be set before | ||
| * this module is required/evaluated. | ||
| */ | ||
| const STAGING_DIR = path.join(process.env.RUNNER_TEMP || "/tmp", "gh-aw", "safeoutputs", "upload-artifacts") + path.sep; |
There was a problem hiding this comment.
The module-level header comment earlier in this file still states that files can be pre-staged in /tmp/gh-aw/safeoutputs/upload-artifacts/, but STAGING_DIR is now derived from RUNNER_TEMP. To avoid misleading future changes/debugging, update the earlier documentation to reference the new $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ location (and mention the /tmp fallback if relevant).
Comment on lines
+321
to
+322
| mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts | ||
| cp /tmp/gh-aw/mcp-logs/playwright/<screenshot>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ |
There was a problem hiding this comment.
In bash snippets, $RUNNER_TEMP should be quoted to avoid word-splitting/globbing if the path ever contains spaces or special characters. Consider using "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts" in both the mkdir and cp commands for consistency with other workflow docs.
Suggested change
| mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts | |
| cp /tmp/gh-aw/mcp-logs/playwright/<screenshot>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| mkdir -p "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts" | |
| cp /tmp/gh-aw/mcp-logs/playwright/<screenshot>.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" |
Comment on lines
+176
to
+177
| mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts | ||
| cp /tmp/gh-aw/screenshots/<filename>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ |
There was a problem hiding this comment.
In bash snippets, $RUNNER_TEMP should be quoted to avoid word-splitting/globbing. Consider updating these commands to use "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts" (and the destination with a trailing /) for robustness and consistency.
Suggested change
| mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts | |
| cp /tmp/gh-aw/screenshots/<filename>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| mkdir -p "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts" | |
| cp /tmp/gh-aw/screenshots/<filename>.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" |
Comment on lines
+371
to
+373
| cp /tmp/gh-aw/python/charts/activity_overview.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | ||
| cp /tmp/gh-aw/python/charts/resolution_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | ||
| cp /tmp/gh-aw/python/charts/velocity_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ |
There was a problem hiding this comment.
These cp destinations expand $RUNNER_TEMP unquoted. Quoting the destination path (e.g., "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/") avoids word-splitting and keeps the snippet consistent with other workflow instructions.
Suggested change
| cp /tmp/gh-aw/python/charts/activity_overview.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| cp /tmp/gh-aw/python/charts/resolution_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| cp /tmp/gh-aw/python/charts/velocity_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| cp /tmp/gh-aw/python/charts/activity_overview.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" | |
| cp /tmp/gh-aw/python/charts/resolution_metrics.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" | |
| cp /tmp/gh-aw/python/charts/velocity_metrics.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" |
Comment on lines
+109
to
+110
| cp /tmp/gh-aw/python/charts/firewall_trends.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | ||
| cp /tmp/gh-aw/python/charts/blocked_domains.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ |
There was a problem hiding this comment.
Consider quoting $RUNNER_TEMP in these bash commands (e.g., "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/") to avoid word-splitting/globbing edge cases and match the quoting style used elsewhere.
Suggested change
| cp /tmp/gh-aw/python/charts/firewall_trends.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| cp /tmp/gh-aw/python/charts/blocked_domains.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ | |
| cp /tmp/gh-aw/python/charts/firewall_trends.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" | |
| cp /tmp/gh-aw/python/charts/blocked_domains.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/" |
| - Use the `add_comment` tool with `discussion_number: <extracted_number>` to add a fun, playful comment stating that the smoke test agent was here | ||
| 9. **Build gh-aw**: Run `GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build` to verify the agent can successfully build the gh-aw project (both caches must be set to /tmp because the default cache locations are not writable). If the command fails, mark this test as ❌ and report the failure. | ||
| 10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p /tmp/gh-aw/safeoutputs/upload-artifacts && cp ./gh-aw /tmp/gh-aw/safeoutputs/upload-artifacts/gh-aw`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed. | ||
| 10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts && cp ./gh-aw $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/gh-aw`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed. |
There was a problem hiding this comment.
This inline bash snippet uses $RUNNER_TEMP unquoted. For robustness (and to prevent accidental word-splitting if paths ever change), quote the staging directory in both mkdir and cp commands.
Suggested change
| 10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts && cp ./gh-aw $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/gh-aw`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed. | |
| 10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts" && cp ./gh-aw "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/gh-aw"`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed. |
|
|
||
| ```bash | ||
| cat > /tmp/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md << 'REPORT_EOF' | ||
| cat > $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md << 'REPORT_EOF' |
There was a problem hiding this comment.
The redirect target path uses $RUNNER_TEMP unquoted. Quoting the full path (e.g., "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/...") avoids word-splitting/globbing edge cases and matches the quoting used in other workflow docs.
Suggested change
| cat > $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md << 'REPORT_EOF' | |
| cat > "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md" << 'REPORT_EOF' |
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
upload_artifacthandler hardcodesSTAGING_DIR = "/tmp/gh-aw/safeoutputs/upload-artifacts/"but the compiled workflow downloads the staging artifact to${{ runner.temp }}/gh-aw/safeoutputs/upload-artifacts/. These are different paths —RUNNER_TEMPis typically/home/runner/work/_temp, not/tmp. The handler always finds an empty staging directory.Same mismatch affects the agent inside Docker: the writable mount is at
${RUNNER_TEMP}/gh-aw/safeoutputs/upload-artifacts/but tool descriptions told the agent to stage files to/tmp/gh-aw/..., which is container-local and lost on exit.Handler fix
Tool descriptions
safe_outputs_tools.json(both copies) to reference$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/Workflow prompts
.mdfiles andshared/safe-output-upload-artifact.mdTests
RUNNER_TEMPin testbeforeEachso handler falls back to/tmp(matching test fixtures)RUNNER_TEMPstaging directory/tmpfallback whenRUNNER_TEMPis unset