chore: upload wizard artifacts to s3#941
Open
joshsny wants to merge 6 commits into
Open
Conversation
Add OIDC-based AWS credential configuration and S3 upload steps to the wizard-ci workflow. Artifacts (wizard output logs, context-mill resources, skills resources, YARA reports) are uploaded to an S3 bucket organized by trigger ID and app name. Requires three secrets to be configured: - AWS_WIZARD_ARTIFACTS_ROLE_ARN - AWS_WIZARD_ARTIFACTS_REGION - AWS_WIZARD_ARTIFACTS_BUCKET Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GitHub artifacts on a public repo are accessible to anyone. Since these contain CI output that should be private, remove the upload-artifact steps and rely solely on S3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
joshsny
changed the title
gewenyu99
approved these changes
Mar 22, 2026
Contributor
gewenyu99
left a comment
gewenyu99
left a comment
There was a problem hiding this comment.
Noice! We do just need to add the log file to this, tho. I think these suggestions work :squint:
| TRIGGER_ID="${{ needs.discover.outputs.trigger_id }}" | ||
| SAFE_APP="${{ matrix.app }}" | ||
| SAFE_APP="${SAFE_APP//\//-}" | ||
| S3_PREFIX="s3://${{ secrets.AWS_WIZARD_ARTIFACTS_BUCKET }}/${TRIGGER_ID}/${SAFE_APP}" |
Contributor
There was a problem hiding this comment.
Trigger ID is a UID yah?
|
|
||
| aws s3 cp wizard-output.log "${S3_PREFIX}/wizard-output.log" || true | ||
| aws s3 cp context-mill-mcp-resources.zip "${S3_PREFIX}/context-mill-mcp-resources.zip" || true | ||
| aws s3 cp skills-mcp-resources.zip "${S3_PREFIX}/skills-mcp-resources.zip" || true |
Contributor
There was a problem hiding this comment.
Suggested change
| aws s3 cp skills-mcp-resources.zip "${S3_PREFIX}/skills-mcp-resources.zip" || true | |
| aws s3 cp wizard-log.log "/tmp/posthog-wizard.log" || true |
Contributor
|
@joshsny can we merge this yet? |
…ctor Adopts main's split wizard-ci structure (Run Wizard CI / Execute wizard / Process results), positions the new S3 upload after Process results so resources zips and YARA JSON are on disk, and updates Label and close PR to read steps.process-results.outputs.pr_number. Addresses review feedback on #941 by replacing the wizard-output.log upload with /tmp/posthog-wizard.log (the wizard's verbose internal log, the file that actually carries the interesting debug info). The wrapper stdout that wizard-output.log captured is already retained in the GitHub Actions step log for 90 days. Sets POSTHOG_WIZARD_LOG_DIR=/tmp explicitly in the Execute wizard and Upload artifacts to S3 steps so the source path and upload path stay in sync; uses ${POSTHOG_WIZARD_LOG_DIR}/posthog-wizard.log to derive the file. Renames the YARA destination to posthog-wizard-yara-report.json to match the source basename. Moves matrix.app and bucket interpolations into env vars to match the shell-step pattern that main now uses elsewhere in this job. Generated-By: PostHog Code Task-Id: 28becca6-325e-4d34-9779-bdb231e3b5b4
Temporarily replaces wizard-ci.yml with main's version so that the subsequent merge of main into this branch can be performed via the signed-merge API (which fails on conflicts). The next commit restores our resolved content on top of the merged history. Generated-By: PostHog Code Task-Id: 28becca6-325e-4d34-9779-bdb231e3b5b4
The previous commit temporarily aligned wizard-ci.yml with main so the file content would match across both branches. This commit restores the S3 upload step, removes the GitHub artifact upload steps it replaces, and wires up POSTHOG_WIZARD_LOG_DIR for both Execute wizard and Upload artifacts to S3 so the source and destination paths stay in sync. Net of the prior commit, the only diff vs main in this file is: - permissions.id-token: write on the wizard-ci job - Drop "Prepare artifact name", "Upload context-mill resources", "Upload skills resources" (replaced by AWS S3 upload) - Add Configure AWS credentials + Upload artifacts to S3 steps after Process results - POSTHOG_WIZARD_LOG_DIR=/tmp env var on Execute wizard and Upload steps, used to derive the wizard log source path - Uploads /tmp/posthog-wizard.log (wizard verbose log) instead of wizard-output.log (wrapper stdout is in Actions logs already) - YARA report uploaded as posthog-wizard-yara-report.json to match the source basename Generated-By: PostHog Code Task-Id: 28becca6-325e-4d34-9779-bdb231e3b5b4
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
s3://<bucket>/<trigger-id>/<app-name>/continue-on-error: trueso S3 upload failures don't break the CI runSetup required
After the corresponding posthog-cloud-infra PR is applied, three secrets need to be added to this repo:
AWS_WIZARD_ARTIFACTS_ROLE_ARN— the IAM role ARN from terraform outputAWS_WIZARD_ARTIFACTS_REGION—us-east-1AWS_WIZARD_ARTIFACTS_BUCKET—posthog-wizard-artifacts-prod-usTest plan
🤖 Generated with Claude Code