Open
Conversation
Add OIDC-based AWS credential configuration and S3 upload steps to the wizard-ci workflow. Artifacts (wizard output logs, context-mill resources, skills resources, YARA reports) are uploaded to an S3 bucket organized by trigger ID and app name. Requires three secrets to be configured: - AWS_WIZARD_ARTIFACTS_ROLE_ARN - AWS_WIZARD_ARTIFACTS_REGION - AWS_WIZARD_ARTIFACTS_BUCKET Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GitHub artifacts on a public repo are accessible to anyone. Since these contain CI output that should be private, remove the upload-artifact steps and rely solely on S3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
joshsny
changed the title
gewenyu99
approved these changes
Mar 22, 2026
Contributor
gewenyu99
left a comment
gewenyu99
left a comment
There was a problem hiding this comment.
Noice! We do just need to add the log file to this, tho. I think these suggestions work :squint:
| TRIGGER_ID="${{ needs.discover.outputs.trigger_id }}" | ||
| SAFE_APP="${{ matrix.app }}" | ||
| SAFE_APP="${SAFE_APP//\//-}" | ||
| S3_PREFIX="s3://${{ secrets.AWS_WIZARD_ARTIFACTS_BUCKET }}/${TRIGGER_ID}/${SAFE_APP}" |
Contributor
There was a problem hiding this comment.
Trigger ID is a UID yah?
|
|
||
| aws s3 cp wizard-output.log "${S3_PREFIX}/wizard-output.log" || true | ||
| aws s3 cp context-mill-mcp-resources.zip "${S3_PREFIX}/context-mill-mcp-resources.zip" || true | ||
| aws s3 cp skills-mcp-resources.zip "${S3_PREFIX}/skills-mcp-resources.zip" || true |
Contributor
There was a problem hiding this comment.
Suggested change
| aws s3 cp skills-mcp-resources.zip "${S3_PREFIX}/skills-mcp-resources.zip" || true | |
| aws s3 cp wizard-log.log "/tmp/posthog-wizard.log" || true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
s3://<bucket>/<trigger-id>/<app-name>/continue-on-error: trueso S3 upload failures don't break the CI runSetup required
After the corresponding posthog-cloud-infra PR is applied, three secrets need to be added to this repo:
AWS_WIZARD_ARTIFACTS_ROLE_ARN— the IAM role ARN from terraform outputAWS_WIZARD_ARTIFACTS_REGION—us-east-1AWS_WIZARD_ARTIFACTS_BUCKET—posthog-wizard-artifacts-prod-usTest plan
🤖 Generated with Claude Code