upload-pipeline-artifact safe output fails with HTTP 400: Content-Range header not understood

[jamesadevine]

Summary

The upload-pipeline-artifact safe output in ado-aw v0.26.1 fails with an HTTP 400 error on every invocation. The Azure DevOps container API rejects the Content-Range header sent by ado-aw's upload implementation.

Repro

1. Configure an agent with upload-pipeline-artifact safe outputs (e.g. allowed-extensions: [".md"])
2. Run the pipeline — agent produces valid output files in Stage 1, passes threat analysis in Stage 2
3. Stage 3 (Execute safe outputs) fails — all upload-pipeline-artifact calls return HTTP 400

Error

All safe output executions fail identically:

[WARN] [ado_aw::execute] [1/4] upload-pipeline-artifact failed: Failed to upload file to container #9724435 (HTTP 400 Bad Request): {"count":36,"value":"Content-Range header not understood."}

Total: 4 | Success: 0 | Warnings: 0 | Failed: 4

Environment

• ado-aw version: v0.26.1
• Platform: Linux (Azure Pipelines agent)
• Azure DevOps: Azure DevOps Services (cloud)

Analysis

The Content-Range header format sent by ado-aw's container upload implementation does not match what the Azure DevOps Artifact Container API expects. The upload target (container ID, token acquisition, etc.) all succeed — only the actual file upload HTTP request is rejected.

What works correctly:

• Agent execution (Stage 1) ✅
• Threat analysis (Stage 2) ✅
• Service connection token acquisition ✅
• ado-aw binary download and checksum verification ✅

Impact

All pipelines using upload-pipeline-artifact safe outputs are broken on v0.26.1.