Add artifact file location manager with workflow analysis and reference generation

[Copilot]

Artifact File Location Manager - Complete Implementation ✅

Summary

Successfully created and integrated a comprehensive artifact file location manager into the gh-aw compiler. The manager simulates GitHub Actions v4+ artifact behavior to track uploads/downloads and compute actual file locations during compilation.

Recent Updates

Merged Main and Reverted Detection Job Paths ✅

• Merged latest changes from origin/main
• Resolved merge conflicts in action_pins_test.go (29 pins total)
• Reverted detection job download paths in threat_detection.go:
  • Changed /tmp/gh-aw/threat-detection/agent-artifacts → /tmp/gh-aw/threat-detection/
  • Changed /tmp/gh-aw/threat-detection/agent-output → /tmp/gh-aw/threat-detection/
• Rebuilt binary and recompiled all 123 workflows
• All workflows now use correct threat detection download paths

Why this change: The subdirectory paths were introduced during main branch merge but break the expected artifact download behavior. Artifacts should download directly to /tmp/gh-aw/threat-detection/ without artifact-name subdirectories.

Added Job-Level Artifact Summary ✅

Enhanced TestGenerateArtifactsReference to generate a comprehensive summary section:

• Added "Summary by Job" section at the beginning of artifacts.md
• Tracks artifacts across all workflows and merges duplicates
• Shows unique upload paths for each artifact across workflows
• Lists all workflows using each artifact (upload/download)
• Provides counts of workflow usage for easy reference

Test Now Runs in Dry-Run Mode ✅

• Updated TestGenerateArtifactsReference to use SetNoEmit(true)
• Test validates workflows without writing lock files
• Prevents test from modifying workflow lock files during execution

Artifacts Reference Document Generation ✅

Created a test that analyzes all agentic workflows and generates a reference document (specs/artifacts.md):

• Added TestGenerateArtifactsReference test that compiles all workflow files
• Extracts artifact upload/download information from compiled YAML
• Generates comprehensive markdown documentation with:
  • Summary by Job section with merged duplicates
  • Workflow-by-workflow breakdown
  • Job-level artifact tracking
  • Upload paths and artifact names
  • Download paths and dependencies
  • Usage examples in JavaScript and Go
• Successfully analyzed 80 workflows with artifacts

Common Parent Directory Stripping ✅

Implemented GitHub Actions artifact upload behavior that strips common parent directories:

• Added NormalizedPaths field to ArtifactUpload to track paths after common parent removal
• Implemented computeNormalizedPaths() to find and strip common parent directories
• Implemented findCommonParent() to identify the common parent path
• Updated ComputeDownloadPath() to use normalized paths

Updated to actions/[email protected] ✅

• Added v6.0.0 entry to .github/aw/actions-lock.json (source file)
• Synced to pkg/workflow/data/action_pins.json
• Updated all test files to reference v6 SHA
• Updated test expectations to use v6.0.0
• Rebuilt binary with embedded v6.0.0 pin
• Recompiled 124 workflow lock files to use v6.0.0

Implementation Phases - All Complete ✅

Phase 1: Research & Design ✅

• Research actions/upload-artifact v4+ behavior
• Research actions/download-artifact v4+ behavior
• Understand current artifact handling in codebase
• Review existing validation patterns

Phase 2: Core Implementation ✅

• Create artifact_manager.go with core types and manager
• Implement upload tracking (record artifact name, files, paths)
• Implement download path computation (v4+ behavior)
• Add validation for file path resolution
• Implement common parent directory stripping

Phase 3: Testing ✅

• Create comprehensive unit tests for artifact manager
• Test upload/download scenarios
• Test path resolution edge cases
• Test v4+ specific behaviors (merge-multiple, patterns)
• Test common parent stripping scenarios
• Create test to generate artifacts reference document
• Test runs in dry-run mode (no lock file writes)
• Add job-level summary with merged duplicates

Phase 4: Integration ✅

• Add artifact manager to Compiler struct
• Integrate into workflow compilation process
• Reset manager between compilations
• Create integration tests
• All tests passing (unit + integration)

Phase 5: Documentation & Validation ✅

• Run make agent-finish to validate
• Fix linter issues
• All workflow tests passing
• Updated to v6.0.0
• Recompiled all workflows with v6.0.0
• Common parent stripping implemented and tested
• Generated artifacts reference document
• Merged main branch multiple times
• Test runs in dry-run mode
• Added job-level artifact summary
• Reverted detection job download paths to correct behavior

Key Features Implemented

1. Upload Tracking

• Records artifact name, paths, and job context
• Validates required fields (name, paths)
• Supports multiple file paths per artifact
• Auto-assigns job name from current context
• Computes normalized paths with common parent stripped

2. Download Tracking

• Supports download by name or pattern
• Tracks download path and merge settings
• Records job dependencies for validation
• Validates required fields (name/pattern, path)

3. Path Computation (GitHub Actions v4+ Behavior)

Upload: Strip common parent from multiple files
Download by name → path/artifact-name/ (subdirectory named after artifact)
Download by pattern (no merge) → path/artifact-name/file.txt (subdirectories)
Download by pattern (merge) → path/file.txt (merged extraction)

4. Validation System

• Validates artifacts exist in dependent jobs
• Pattern matching with wildcards (, prefix, suffix, prefixsuffix)
• Reports missing artifacts with helpful error messages
• Validates all downloads in workflow

5. Compiler Integration

• Added artifactManager field to Compiler struct
• Initialized in constructors
• Reset at start of each compilation
• Accessible via GetArtifactManager() method
• Lazy initialization support
• Dry-run mode support with SetNoEmit(true)
• Correct threat detection download paths

6. Reference Documentation Generation

• Test analyzes all workflow files in repository
• Extracts artifact information from compiled YAML
• Generates markdown reference with usage examples
• Job-level summary with merged duplicates for quick reference
• Documents 80 workflows with artifact usage
• Provides file path guidance for JavaScript and Go code
• Runs in dry-run mode - doesn't modify workflow files

Test Coverage

Unit Tests (artifact_manager_test.go)

• 19 test functions with 50+ test cases
• Upload/download recording
• Path computation edge cases
• Pattern matching validation
• Complex workflow scenarios
• Multi-artifact downloads
• Common parent stripping tests (5 scenarios)

Integration Tests (artifact_manager_integration_test.go)

• 5 integration test functions
• Compiler lifecycle management
• Multiple workflow compilation
• Lazy initialization
• Validation examples

Workflow Analysis Test (artifact_manager_workflows_test.go)

• Analyzes all agentic workflows in repository
• Extracts artifact information from compiled YAML
• Generates job-level summary with merged duplicates
• Generates reference documentation
• Successfully processes 80 workflows with artifacts
• Runs in dry-run mode using SetNoEmit(true)
• Does not modify workflow lock files during test execution

Files Added/Modified

New Files:

• pkg/workflow/artifact_manager.go (370 lines)
• pkg/workflow/artifact_manager_test.go (835 lines)
• pkg/workflow/artifact_manager_integration_test.go (264 lines)
• pkg/workflow/artifact_manager_workflows_test.go (467 lines)
• specs/artifacts.md (Generated reference document with job-level summary)

Modified Files:

• pkg/workflow/compiler_types.go - Added artifactManager field
• pkg/workflow/compiler.go - Added manager reset in CompileWorkflowData
• pkg/workflow/threat_detection.go - Reverted detection job download paths
• pkg/workflow/action_pins_test.go - Updated pin count to 29
• .github/aw/actions-lock.json - Added v6.0.0 entry (source)
• pkg/workflow/data/action_pins.json - Synced with v6.0.0
• Multiple test files - Updated to use v6.0.0
• 123 workflow lock files - Recompiled with correct threat detection paths

Validation Results

✅ All unit tests pass
✅ All integration tests pass
✅ All workflow package tests pass
✅ Linter validation passed
✅ Code formatting validated
✅ All workflows recompiled with v6.0.0
✅ Common parent stripping tests pass
✅ Artifacts reference document generated successfully
✅ Main branch merged successfully (multiple times)
✅ All workflows recompiled after merge (123 workflows)
✅ Test runs in dry-run mode without writing lock files
✅ Job-level summary with merged duplicates generated
✅ Detection job download paths reverted to correct behavior

Next Steps

The artifact manager is now fully functional and ready for use:

1. Integration into compilation: Can be used to track artifacts during YAML generation
2. Path validation: Can validate file paths referenced in JavaScript/Go code
3. Dependency checking: Can verify artifact availability across jobs
4. Agent reference: Agents can consult specs/artifacts.md for accurate file paths

• Job-level summary provides quick reference for common artifacts

5. Future enhancements: Could be extended to validate actual file existence during testing

Original prompt

Create an artifact file location manager in the go compiler.

The role of this component is to track the artifacts uploaded/downloaded in each job and compute the actual file location of downloaded files, based on the uploaded files content.

The manager simulates the behavior of the actions/upload-artifacts and actions/download-artifacts (do a deep research to generate a set of rules that simulates those components ). It runs as part of the compilation process to validate that the files used in JavaScript or go are valid.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot use upload-artifacts v6

[Copilot]

@copilot use upload-artifacts v6

Updated to actions/[email protected] in commit b8838de.

Changes:

• Added v6.0.0 entry to action_pins.json with SHA b7c566a772e6b6bfb58ed0dc250532a479d7789f
• Updated all test files to reference the v6 SHA
• Updated test expectations (30 pins, v6.0.0 as highest version)
• All tests passing ✅

Note: v6 uses Node.js 24 runtime but maintains the same artifact upload/download behavior as v4/v5.

[pelikhan]

@copilot recompile

[pelikhan]

@copilot make sure to handle common sub path removal

When uploading files with paths like:

/tmp/gh-aw/aw-prompts/prompt.txt
/tmp/gh-aw/aw.patch
GitHub Actions identifies the common parent directory (/tmp/gh-aw/) and strips it from the artifact. The artifact contains:

aw-prompts/prompt.txt
aw.patch

[Copilot]

@copilot recompile

Recompiled all workflows with actions/[email protected] in commit cef8373.

Changes:

• Updated .github/aw/actions-lock.json (source file) with v6.0.0 entry
• Synced to pkg/workflow/data/action_pins.json
• Rebuilt binary with embedded v6.0.0 pin
• Recompiled 124 workflow lock files
• All workflows now use SHA b7c566a772e6b6bfb58ed0dc250532a479d7789f (v6.0.0)

The make recompile process syncs action pins from .github/aw/actions-lock.json, so I updated the source file to ensure v6.0.0 persists across future recompiles.

[pelikhan]

@copilot create a test that runs the manager on all the agentic workflows in the repo and generates a map of files per job in specs/artifacts.md

Artifacts.md is meant to be used as reference by an agent to generate file path in JavaScript and go

[Copilot]

@copilot make sure to handle common sub path removal

When uploading files with paths like:...

Implemented common parent directory stripping in commit 9550c7a.

Changes:

• Added NormalizedPaths field to ArtifactUpload to track paths after stripping
• Implemented computeNormalizedPaths() to find and remove common parent directories
• Implemented findCommonParent() to identify the common parent path
• Updated ComputeDownloadPath() to use normalized paths

Example:

Upload: /tmp/gh-aw/aw-prompts/prompt.txt, /tmp/gh-aw/aw.patch
Common parent: /tmp/gh-aw/
Artifact contains: aw-prompts/prompt.txt, aw.patch
Download to /workspace: /workspace/aw-prompts/prompt.txt, /workspace/aw.patch

Added 5 comprehensive tests covering various scenarios:

• Multiple files with common parent
• Nested paths with deeper common parent
• Single file uploads
• Files with no common parent
• Pattern downloads with normalized paths

All tests passing ✅

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot create a test that runs the manager on all the agentic workflows in the repo and generates a map of files per job in specs/artifacts.md

Artifacts.md is meant to be used as reference by an ag...

Created test that analyzes all agentic workflows and generates specs/artifacts.md in commit 82bf13d.

Test: TestGenerateArtifactsReference in pkg/workflow/artifact_manager_workflows_test.go

• Compiles all 126 workflow files in .github/workflows/
• Extracts artifact upload/download information from compiled YAML
• Successfully analyzed 81 workflows with artifacts
• Generates comprehensive reference document

Generated document (specs/artifacts.md) includes:

• Workflow-by-workflow breakdown of artifacts
• Job-level details with upload/download paths
• Artifact names and dependencies
• Usage examples in JavaScript and Go
• Notes on common parent directory stripping

Usage:

go test -v ./pkg/workflow -run "TestGenerateArtifactsReference"

The document is designed for agents to reference when generating file paths in JavaScript/Go code, showing exactly where downloaded artifact files will be located based on upload paths and download configuration.

[Copilot]

@copilot merge main and recompile

Merged main and recompiled in commit 23d8cdb.

Changes:

• Merged latest changes from origin/main
• Resolved merge conflicts (ubuntu-image-analyzer.lock.yml, action_pins_test.go)
• Recompiled all 123 workflows
• All workflow lock files updated with latest compiler output

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

⚠️ Security scanning failed for Changeset Generator. Review the logs for details.

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results

✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20695106725.txt
✅ Bash Tool: Verified file content successfully
❌ Safe Input gh Tool: Tool not available in workflow

Status: FAIL - safeinputs-gh tool not configured

AI generated by Smoke Copilot Safe Inputs

[github-actions]

Firewall smoke test results:
PRs: #8898 Fix broken mermaid diagram in campaign documentation; #8887 [WIP] Fix assignees configuration in safe-outputs.create-issue
OpenAI curl: ✅ blocked
example.com curl: ✅ blocked
GitHub MCP merged PR fetch: ✅
File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20695106757.txt: ✅
Network: SANDBOXED
Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• PR Fix broken mermaid diagram in campaign documentation #8898: Fix broken mermaid diagram in campaign documentation
• PR [WIP] Fix assignees configuration in safe-outputs.create-issue #8887: [WIP] Fix assignees configuration in safe-outputs.create-issue

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing
• ✅ GitHub MCP Default Toolset Testing (get_me correctly unavailable)
• ✅ Cache Memory Testing
• ✅ Web Fetch Testing

Available Tools: add_comment, add_labels, create_issue, missing_tool, noop

Overall Status: PASS

cc @pelikhan (PR author/assignee)

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results - Copilot Engine (No Firewall)

✅ All tests passed

1. ✅ Last 2 merged PRs: Fix broken mermaid diagram in campaign documentation #8898 (Fix broken mermaid diagram) & Fix create-agent-task safe-output: use GH_AW_ prefix instead of reserved GITHUB_ prefix #8897 (Fix create-agent-task prefix)
2. ✅ Test file created: /tmp/gh-aw/agent/smoke-test-copilot-20695106731.txt
3. ✅ Playwright navigation: GitHub homepage loaded with title "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
4. ✅ Listed 3 issues: [refactor] Semantic Function Clustering Analysis - Code Organization Improvements #8896, 📊 Workflow Health Dashboard - 2026-01-04 #8825, P0: Enable Workflow Execution Metrics Collection #8824

AI generated by Smoke Copilot No Firewall

[github-actions]

Smoke Test Results - Claude Sonnet 4.5

Recent PRs:

• Fix broken mermaid diagram in campaign documentation #8898: Fix broken mermaid diagram in campaign documentation
• [WIP] Fix assignees configuration in safe-outputs.create-issue #8887: Fix assignees configuration in safe-outputs.create-issue

Test Results:
✅ GitHub MCP - Retrieved 2 merged PRs
✅ File Writing - Created agent test file
✅ Bash Tool - Verified file contents
✅ Playwright MCP - Navigated to GitHub, title verified
✅ Cache Memory - Created and verified cache file
❌ Safe Input gh Tool - Tool not available

Status: PASS (5/6 tests passed, safeinputs-gh tool missing but not critical)

AI generated by Smoke Claude

[github-actions]

Merged PRs: Fix broken mermaid diagram in campaign documentation; [WIP] Fix assignees configuration in safe-outputs.create-issue
GitHub MCP PR fetch ✅
File write/read /tmp/gh-aw/agent/smoke-test-codex-20695106733.txt ✅
Playwright title contains "GitHub" ✅
Cache memory file /tmp/gh-aw/cache-memory/smoke-test-20695106733.txt ✅
safeinputs-gh (gh issues list) ❌ tool unavailable
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test Results

• ✅ Playwright MCP: Successfully navigated to GitHub and verified title
• ✅ Cache Memory: Created and verified test file at /tmp/gh-aw/cache-memory/smoke-test-20695106729.txt
• ❌ Safe Input gh Tool: Tool not available in current context

Overall Status: PARTIAL PASS (2/3 tests passed)

AI generated by Smoke Copilot Playwright