feat: migrate 50% of agentic workflows from upload-asset to upload-artifact

.github/workflows/api-consumption-report.md

@@ -15,7 +15,9 @@ tools:
   agentic-workflows:
   timeout: 300
 safe-outputs:
-  upload-asset:
+  upload-artifact:
+    default-retention-days: 30
+    max-retention-days: 30
 timeout-minutes: 45
 imports:
   - uses: shared/daily-audit-discussion.md
@@ -296,9 +298,9 @@ Use `sns.set_theme(style="darkgrid")` for a professional dark-grid look and `plt
 
 ---
 
-## Step 5 — Upload Charts as Assets
+## Step 5 — Upload Charts as Artifacts
 
-For each successfully generated chart in `/tmp/gh-aw/python/charts/*.png`, use the `upload asset` safe-output tool to publish it. Collect the returned URL for each chart.
+Stage each successfully generated chart from `/tmp/gh-aw/python/charts/*.png` into `/tmp/gh-aw/safeoutputs/upload-artifacts/`, then call the `upload_artifact` safe-output tool for each chart with `retention_days: 30`. Collect and record the returned `aw_*` ID for each chart.
 
 ---
 
@@ -333,39 +335,39 @@ Create a discussion with the following structure. Replace placeholders with real
 
 ### 🔗 GitHub API Calls Trend (90 days)
 
-![GitHub API Calls Trend]({api_calls_trend_url})
+📎 **Chart: GitHub API Calls Trend** — artifact `{api_calls_trend_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 {2–3 sentences: highlight the trend direction, peak days, and any notable spikes in total REST API consumption}
 
 ---
 
 ### 🔗 GitHub API Calls by Workflow Trend (30 days)
 
-![GitHub API Calls by Workflow Trend]({workflow_api_trend_url})
+📎 **Chart: GitHub API Calls by Workflow Trend** — artifact `{workflow_api_trend_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 {2–3 sentences: note which workflows consistently consume the most API quota and any emerging patterns over the last 30 days}
 
 ---
 
 ### 🔗 GitHub REST API Calls Heatmap (90 days)
 
-![GitHub REST API Calls Heatmap]({api_heatmap_url})
+📎 **Chart: GitHub REST API Calls Heatmap** — artifact `{api_heatmap_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 {2–3 sentences: describe weekly patterns, busiest days, and any anomalies in REST API consumption}
 
 ---
 
 ### 🍩 Top API Burners (24h)
 
-![Top API Burners]({api_burners_donut_url})
+📎 **Chart: Top API Burners** — artifact `{api_burners_donut_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 {2–3 sentences: describe which workflows dominate API consumption, their share of the total, and any concentration risk}
 
 ---
 
 ### 🔗 GitHub REST API Consumption by Workflow (last 24h)
 
-![GitHub REST API Consumption by Workflow]({api_by_workflow_url})
+📎 **Chart: GitHub REST API Consumption by Workflow** — artifact `{api_by_workflow_aw_id}` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 {2–3 sentences: identify the top REST API consumers, note any workflows near the 15k/hr limit, and suggest optimisation opportunities}
 

.github/workflows/audit-workflows.md

@@ -14,7 +14,9 @@ tools:
   agentic-workflows:
   timeout: 300
 safe-outputs:
-  upload-asset:
+  upload-artifact:
+    default-retention-days: 30
+    max-retention-days: 30
 timeout-minutes: 30
 imports:
   - uses: shared/daily-audit-discussion.md
@@ -50,7 +52,7 @@ Generate 2 charts from past 30 days workflow data:
 2. **Token & Cost**: Daily tokens (bar/area) + cost line + 7-day moving average
 
 Save to: `/tmp/gh-aw/python/charts/{workflow_health,token_cost}_trends.png`
-Upload charts, embed in discussion with 2-3 sentence analysis each.
+Upload charts, embed in discussion with 2-3 sentence analysis each. Stage chart files to `/tmp/gh-aw/safeoutputs/upload-artifacts/` and call the `upload_artifact` safe-output tool with `retention_days: 30` for each chart. Record the returned `aw_*` IDs and include them in the discussion body along with a link to the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) so readers can download the charts.
 
 ---
 

.github/workflows/daily-firewall-report.md

@@ -18,7 +18,9 @@ tracker-id: daily-firewall-report
 timeout-minutes: 45
 
 safe-outputs:
-  upload-asset:
+  upload-artifact:
+    default-retention-days: 30
+    max-retention-days: 30
 tools:
   agentic-workflows:
   github:
@@ -102,8 +104,13 @@ Generate exactly **2 high-quality trend charts**:
 
 **Phase 4: Upload Charts**
 
-1. Upload both charts using the `upload asset` tool
-2. Collect the returned URLs for embedding in the discussion
+1. Stage both charts into the upload directory:
+   ```bash
+   cp /tmp/gh-aw/python/charts/firewall_trends.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/blocked_domains.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+   ```
+2. Call the `upload_artifact` safe-output tool for each chart with `retention_days: 30`
+3. Record the returned `aw_*` IDs
 
 **Phase 5: Embed Charts in Discussion**
 
@@ -113,12 +120,14 @@ Include the charts in your firewall report with this structure:
 ### 📈 Firewall Activity Trends
 
 ### Request Patterns
-![Firewall Request Trends](URL_FROM_UPLOAD_ASSET_CHART_1)
+
+📎 **Chart: Firewall Request Trends** — artifact `<aw_ID_1>` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 [Brief 2-3 sentence analysis of firewall activity trends, noting increases in blocked traffic or changes in patterns]
 
 ### Top Blocked Domains
-![Blocked Domains Frequency](URL_FROM_UPLOAD_ASSET_CHART_2)
+
+📎 **Chart: Blocked Domains Frequency** — artifact `<aw_ID_2>` available in the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
 [Brief 2-3 sentence analysis of frequently blocked domains, identifying potential security concerns or overly restrictive rules]
 ```