Standardize safe output references to singular "upload-asset" and separate job

[Copilot]

Upload-Asset Standardization - COMPLETE ✅

Make all safe output references to "upload-asset" singular, consistent across frontmatter and safe outputs processing.

All Changes Completed:

• JavaScript (safe output processing)

  • Updated upload_assets.cjs to only handle upload_asset (singular underscore)
  • Removed legacy handling for upload-assets (plural hyphen) - normalization happens before this point
  • Keep "upload_asset" as the standard type
  • Removed test for legacy handling (no longer needed)

• Go Code (configuration)

  • Updated safe_outputs_config.go line 133 to return "upload_asset"
  • Updated imports.go to check "upload-asset" instead of "upload-assets"
  • Updated publish_assets.go to parse "upload-asset"
  • Updated compiler_types.go yaml tag to "upload-asset"
  • Updated tests in publish_assets_test.go
  • Updated tests in upload_assets_config_test.go
  • Updated test in checkout_persist_credentials_test.go
  • Removed unused buildUploadAssetsStepConfig function
  • Added threat detection dependency to upload_assets job when enabled

• JSON Schema

  • Changed "upload-assets" to "upload-asset" in schema

• Codemod Tool

  • Created codemod to fix frontmatter (convert "upload-assets" to "upload-asset")

• Applied Codemod

  • Ran codemod on all workflow files in .github/workflows/ (19 workflows fixed)
  • Updated test workflows in pkg/cli/workflows/
  • Updated shared workflows in .github/workflows/shared/
  • Updated documentation files in docs/src/content/docs/reference/
  • Updated spec documentation in specs/
  • Updated slides in docs/slides/

• Job Architecture

  • Moved upload_assets processing to separate job (not in consolidated safe_outputs job)
  • Git credentials are configured in the separate upload_assets job
  • Separate job has proper checkout, git config, and artifact download steps
  • upload_assets job depends on detection job when threat detection is enabled

• Code Quality

  • All code formatted with make fmt
  • All linting passes with make lint
  • Updated dev.md to test Python graph generation and upload as asset

• Tests & Validation

  • All Go tests pass (upload_assets, checkout_persist_credentials)
  • All JavaScript tests pass (upload_assets.test.cjs with 5 tests)
  • Recompiled all workflows successfully
  • Schema validation working correctly
  • Verified separate upload_assets job is created with git configuration
  • Verified upload_assets job depends on detection when threat detection is enabled

Summary

Successfully standardized all references to use "upload-asset" (singular) throughout:

• Frontmatter: safe-outputs.upload-asset: (singular with hyphen)
• Safe Output Type: upload_asset (singular with underscore)
• Job Architecture: upload_assets is now a separate job with proper git configuration for pushing to orphaned branches
• Threat Detection: upload_assets job correctly depends on detection job when threat detection is enabled
• No Legacy Support: Legacy handling removed - normalization happens in safe_outputs_handlers.cjs before upload processing
• Code Quality: All code formatted and linted, ready for merge

All tests passing, workflows recompiled, and codemod tool available for future migrations.

Original prompt

Make all safe output reference to "upload-asset" singular, in front matter and in safe outputs.

• remove legacy handling of "upload_assets" and "upload_asset" in javascript that processes safe output messages
• handle legacy "upload-assets" and emit warning
• add codemode to fix frontmatter

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot remove legacy support in JavaScript. At this point, it is already normalized.

[Copilot]

Removed in c773365. The legacy handling was unnecessary since safe_outputs_handlers.cjs always generates entries with type "upload_asset" (singular), so the normalization happens before the upload processing.

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Add command/container execution support to sandbox.mcp configuration #7294: Add command/container execution support to sandbox.mcp configuration
• Fix choice type conversion to JSON Schema in safe-output jobs #7291: Fix choice type conversion to JSON Schema in safe-output jobs

Test Results:

• ✅ GitHub MCP: Retrieved merged PRs
• ✅ File Writing: Created test file
• ✅ Bash Tool: Verified file content
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"
• ❌ Safe Input gh Tool: Missing tool

Overall Status: FAIL (missing safeinputs-gh tool)

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #7295 🗺️

[github-actions]

PRs: Add command/container execution support to sandbox.mcp configuration; Fix choice type conversion to JSON Schema in safe-output jobs
✅ OpenAI curl blocked
✅ GitHub MCP last merged PRs fetched
✅ File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20439407663.txt
✅ example.com curl blocked
Network: SANDBOXED
Overall: PASS

🔥 Firewall tested by Smoke Codex Firewall fer issue #7295 🗺️

[github-actions]

Smoke Test Results

✅ File writing test - created /tmp/gh-aw/agent/smoke-test-copilot-20439407683.txt
✅ Bash tool test - verified file content successfully
❌ Safe input gh tool test - safeinputs-gh tool not available

Overall Status: FAIL (1/3 tests passed - missing safeinputs-gh tool)

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #7295 🗺️

[pelikhan]

Keep the processing of upload assets message in a separate job, not in safe_outputs job. Make sure to configure the git credentials

[pelikhan]

@copilot comment above

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Add command/container execution support to sandbox.mcp configuration #7294: Add command/container execution support to sandbox.mcp configuration
• Fix choice type conversion to JSON Schema in safe-output jobs #7291: Fix choice type conversion to JSON Schema in safe-output jobs

Test Results:

• ✅ GitHub MCP: Retrieved PRs
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-claude-20439407673.txt
• ✅ Bash Tool: Verified file contents
• ✅ Playwright MCP: GitHub page title verified ("GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ Cache Memory: Created /tmp/gh-aw/cache-memory/smoke-test-20439407673.txt
• ❌ Safe Input gh Tool: Not tested (tool not available)

Status: PASS (5/6 tests completed successfully)

💥 [THE END] — Illustrated by Smoke Claude fer issue #7295 🗺️

[github-actions]

Merged PRs:

• Add command/container execution support to sandbox.mcp configuration
• Fix choice type conversion to JSON Schema in safe-output jobs
  Tests: GitHub MCP ✅ | File write ✅ | Playwright title ✅ | Cache ✅ | safeinputs-gh ❌ (command not found)
  Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #7295 🗺️

[Copilot]

@copilot comment above

Done in e937816. The upload_assets processing is now a separate job (not in the consolidated safe_outputs job) with proper git credentials configuration:

1. Checkout repository step
2. Configure Git credentials step (sets user.email, user.name, and re-authenticates with GitHub token)
3. Download assets artifact step

The separate job has contents: write permissions and runs independently from the consolidated safe_outputs job.

[pelikhan]

@copilot format, lint, update dev.md to create a dummy graph with python and upload it as assets.

[Copilot]

@copilot format, lint, update dev.md to create a dummy graph with python and upload it as assets.

Done in c3d658c:

1. Format & Lint: Ran make fmt and make lint - all checks pass
2. Fixed linting error: Removed unused buildUploadAssetsStepConfig function
3. Updated dev.md: Now tests Python graph generation and upload as asset:
   • Imports shared/python-dataviz.md for Python environment setup
   • Configures upload-asset with PNG/JPG support
   • Instructions to create a graph with matplotlib and upload it
   • Creates an issue with the embedded graph image

The dev workflow now demonstrates the complete upload-asset flow with Python-generated graphs.

[pelikhan]

@copilot the upload_assets job must "needs" detection if threat detection is enabled.

[Copilot]

@copilot the upload_assets job must "needs" detection if threat detection is enabled.

Done in f5ea338. The upload_assets job now includes the detection job in its needs array when threat detection is enabled:

needs := []string{mainJobName}
if threatDetectionEnabled {
    needs = append(needs, constants.DetectionJobName)
}

The buildUploadAssetsJob function now accepts a threatDetectionEnabled parameter and conditionally adds the detection dependency. All tests pass and compiled workflows correctly show the detection dependency when threat detection is enabled.

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3192

• Status: ✅ success
• Commit: f5ea338
• Duration: ~4m 47s

Dev workflow completed successfully! 🎉

Commit Analysis

The workflow tested the final commit:

"Add threat detection dependency to upload_assets job"

This appears to be the concluding change in the upload-asset standardization work, ensuring that when threat detection is enabled, the upload_assets job properly depends on the detection job.

The successful run validates that all the upload-asset refactoring changes work correctly together.

🦅 Observed from above by Dev Hawk