Fix artifact downloads to use unified agent-artifacts and remove duplicates

[Copilot]

Update safe_outputs job download-artifact steps for unified agent-artifacts

Problem

The workflow compilation now uses a unified agent-artifacts artifact that includes all agent outputs (prompts, logs, patches). However, safe_outputs and threat detection jobs continued downloading from deprecated standalone artifacts (aw.patch, prompt), causing download failures and redundant downloads.

Plan

• Investigate the issue and understand the unified artifact structure
• Identify affected files
• Update create_pull_request.go to download from unified agent-artifacts
• Update compiler_safe_outputs_core.go to download from unified agent-artifacts (2 locations)
• Update threat_detection.go to download from unified agent-artifacts
• Update tests to expect agent-artifacts artifact name
• Run tests to validate changes
• Recompile workflows to verify fix
• Remove unused artifact upload functions
• Remove duplicate/outdated artifact downloads in threat detection
• Fix JavaScript file paths for threat detection unified artifact structure
• Run make agent-finish for final validation

Changes Made

Code Changes

1. pkg/workflow/create_pull_request.go - Line 49: Changed name: aw.patch to name: agent-artifacts
2. pkg/workflow/compiler_safe_outputs_core.go - Lines 80 & 292: Changed ArtifactName: "aw.patch" to ArtifactName: "agent-artifacts"
3. pkg/workflow/threat_detection.go - Lines 191-214: Consolidated three separate downloads (prompt, agent-output, patch) into two downloads (agent-artifacts, agent-output)
4. actions/setup/js/setup_threat_detection.cjs - Updated file paths to use nested structure from unified artifact:
   • Prompt: /tmp/gh-aw/threat-detection/tmp/gh-aw/aw-prompts/prompt.txt
   • Patch: /tmp/gh-aw/threat-detection/tmp/gh-aw/aw.patch
   • Agent output: /tmp/gh-aw/threat-detection/agent_output.json (still separate artifact, path unchanged)

Test Updates

5. pkg/workflow/compile_outputs_pr_test.go - Line 494: Updated expectation to check for agent-artifacts
6. pkg/workflow/patch_artifact_download_verification_test.go - Lines 71 & 160: Updated expectations
7. pkg/workflow/push_to_pull_request_branch_test.go - Line 870: Updated expectation
8. pkg/workflow/threat_detection_test.go - Updated tests to expect unified artifact download

Cleanup

9. pkg/workflow/compiler_yaml_artifacts.go - Removed unused functions: generateUploadAgentLogs, generateUploadPrompt, generateUploadAwInfo, generateUploadAssets, generateUploadMCPLogs, generateUploadSafeInputsLogs, generateGitPatchUploadStep
10. pkg/workflow/artifacts.go - Removed unused generateArtifactUpload function and ArtifactUploadConfig struct

Key Insight: Nested Path Structure

When agent-artifacts is downloaded to /tmp/gh-aw/threat-detection/, the files inside maintain their full path structure:

Artifact contains:

• /tmp/gh-aw/aw-prompts/prompt.txt
• /tmp/gh-aw/aw.patch

After download to /tmp/gh-aw/threat-detection/:

• /tmp/gh-aw/threat-detection/tmp/gh-aw/aw-prompts/prompt.txt
• /tmp/gh-aw/threat-detection/tmp/gh-aw/aw.patch

Separate artifact (agent-output) downloaded to same path:

• /tmp/gh-aw/threat-detection/agent_output.json (no nesting, as it's the root of its artifact)

Verification

• ✅ All patch artifact download tests passing (12 tests)
• ✅ All threat detection tests passing
• ✅ Workflows recompiled successfully (126/128 compiled)
• ✅ JavaScript paths updated for nested artifact structure
• ✅ Verified in actual workflow files - unified artifact downloads working correctly
• ✅ No linting errors after cleanup

Impact

This eliminates duplicate downloads and ensures all jobs correctly use the unified agent-artifacts artifact with proper file path handling.

Original prompt

Reference: https://github.com/githubnext/gh-aw/actions/runs/20688705069/job/59393738899#step:6:1

Update the generated download-artifact steps in the safe_outputs job to match the new unified agent-artifacts artifact.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Use unified agent-artifacts for downloads; update tests to expect agent-artifacts and remove dead artifact upload helpers.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot review download-artifacts and remove duplicates or outdated references.

[pelikhan]

@copilot review the steps to download artifacts since it is now unified: prompt, aw.patch are now part of agent-artifacts so one does not need to download them separately.

[Copilot]

@copilot review download-artifacts and remove duplicates or outdated references.

Reviewed and removed duplicates. The threat detection job was downloading the same content three times:

Before:

• Download prompt artifact (separate)
• Download agent-output artifact (separate)
• Download agent-artifacts for patch (conditional)

After:

• Download agent-artifacts once (contains prompt, patch, logs)
• Download agent-output (separate)

This eliminates the duplicate prompt download and the conditional patch download, consolidating into a single unified artifact download. Commit: 73ea25d

[Copilot]

@copilot review the steps to download artifacts since it is now unified: prompt, aw.patch are now part of agent-artifacts so one does not need to download them separately.

Confirmed. All artifact downloads have been updated correctly:

Threat detection job (commit 73ea25d):

• ✅ Downloads agent-artifacts once (contains prompt, patch, logs)
• ✅ Downloads agent-output separately (still independent)

Safe outputs jobs (commits 7b537cd, 1f25049):

• ✅ Download agent-artifacts for patch file
• ✅ Download agent-output separately (still independent)

No remaining separate downloads of prompt or aw.patch artifacts. All jobs now use the unified agent-artifacts artifact as intended.

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[pelikhan]

@copilot review the file location of aw.patch in the JavaScript since it is now in a different path since it is part of a different artifacts name. Review all other files used in the threat detection prompt too.

[github-actions]

Smoke Test Results

✅ File Writing Test
✅ Bash Tool Test
❌ Safe Input gh Tool Test (tool not available)

Overall Status: FAIL

Note: safeinputs-gh tool is not in available toolset. File operations working correctly.

AI generated by Smoke Copilot Safe Inputs

[github-actions]

Firewall smoke test results:

• OpenAI curl blocked: ✅
• Blocked domain (example.com) curl blocked: ✅
• GitHub MCP merged PR titles: Refactor large workflows into modular shared components #8849 "Refactor large workflows into modular shared components"; Fix repo-memory path inconsistencies blocking meta-orchestrator metrics access #8848 "Fix repo-memory path inconsistencies blocking meta-orchestrator metrics access": ✅
• File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20689271485.txt: ✅
• Network status: SANDBOXED
• Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results: Copilot Engine (No Firewall)

✅ All tests passed successfully

• ✅ Reviewed last 2 merged PRs (Refactor large workflows into modular shared components #8849, Fix repo-memory path inconsistencies blocking meta-orchestrator metrics access #8848)
• ✅ Created test file at /tmp/gh-aw/agent/smoke-test-copilot-20689271517.txt
• ✅ Navigated to https://github.com with Playwright (verified page title)
• ✅ Listed 3 issues using safeinputs-gh tool (#8844, 📊 Workflow Health Dashboard - 2026-01-04 #8825, P0: Enable Workflow Execution Metrics Collection #8824)

AI generated by Smoke Copilot No Firewall

[github-actions]

Smoke Test Results (Claude)

Recent PRs:

• Remove ai-inference, opencode, genaiscript agentic engines for now #10: Remove ai-inference, opencode, genaiscript agentic engines for now
• Add workflow: githubnext/agentics/weekly-research #8: Add workflow: githubnext/agentics/weekly-research

Test Results:

• ✅ GitHub MCP (list PRs)
• ✅ File writing (agent dir)
• ✅ Bash tool (file verification)
• ✅ Playwright MCP (navigate & verify)
• ✅ Cache memory (write & verify)
• ❌ Safe inputs gh tool (tool not available)

Status: FAIL (1/6 tests failed)

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

• ❌ Playwright MCP: Missing system libraries (libglib-2.0.so.0)
• ✅ Cache Memory: File created and verified successfully
• ✅ Safe Input gh Tool: GitHub CLI works with GH_AW_GH_TOKEN

Overall Status: FAIL (1/3 tests passed)

Note: Playwright requires system dependencies not available in runner environment.

AI generated by Smoke Copilot Playwright

[github-actions]

PR titles: Increase strict mode adoption from 60% to 72% (93/128 workflows); [WIP] Update download artifacts steps for unified structure
GitHub MCP: ✅
File write /tmp/gh-aw/agent: ✅
Bash verify: ✅
Playwright title contains "GitHub": ✅
Cache memory write: ✅
safeinputs-gh issues list: ❌ (tool unavailable)
Overall: FAIL

AI generated by Smoke Codex

[Copilot]

@copilot review the file location of aw.patch in the JavaScript since it is now in a different path since it is part of a different artifacts name. Review all other files used in the threat detection ...

Fixed file paths in setup_threat_detection.cjs. Since agent-artifacts is downloaded to /tmp/gh-aw/threat-detection/ and contains files with full paths, they appear nested:

Updated paths:

• Prompt: /tmp/gh-aw/threat-detection/tmp/gh-aw/aw-prompts/prompt.txt
• Patch: /tmp/gh-aw/threat-detection/tmp/gh-aw/aw.patch
• Agent output: /tmp/gh-aw/threat-detection/agent_output.json (unchanged, separate artifact)

The artifact's internal structure is preserved when downloaded, creating the nested /tmp/gh-aw/threat-detection/tmp/gh-aw/... paths. Commit: e996f73