Artifacts
GitHub Agentic Workflows upload several artifacts during workflow execution. This reference documents every artifact name, its contents, and how to access the data — especially for downstream workflows that use gh run download directly instead of gh aw logs.
Quick Reference
Section titled “Quick Reference”| Artifact Name | Constant | Type | Description |
|---|---|---|---|
agent | constants.AgentArtifactName | Multi-file | Unified agent job outputs (logs, safe outputs, token usage summary) |
activation | constants.ActivationArtifactName | Multi-file | Activation job output (aw_info.json, prompt.txt, rate limits) |
firewall-audit-logs | constants.FirewallAuditArtifactName | Multi-file | AWF firewall audit/observability logs (token usage, network policy, audit trail) |
detection | constants.DetectionArtifactName | Single-file | Threat detection log (detection.log) |
safe-output | constants.SafeOutputArtifactName | Legacy/back-compat | Historical standalone safe output artifact (safe_output.jsonl); in current compiled workflows this content is included in the unified agent artifact instead |
agent-output | constants.AgentOutputArtifactName | Legacy/back-compat | Historical standalone agent output artifact (agent_output.json); in current compiled workflows this content is included in the unified agent artifact instead |
aw-info | — | Single-file | Engine configuration (aw_info.json) |
prompt | — | Single-file | Generated prompt (prompt.txt) |
safe-outputs-items | constants.SafeOutputItemsArtifactName | Single-file | Safe output items manifest |
code-scanning-sarif | constants.SarifArtifactName | Single-file | SARIF file for code scanning results |
Artifact Sets
Section titled “Artifact Sets”The gh aw logs and gh aw audit commands support --artifacts to download only specific artifact groups:
| Set Name | Artifacts Downloaded | Use Case |
|---|---|---|
all | Everything | Full analysis (default) |
agent | agent | Agent logs and outputs |
activation | activation | Activation data (aw_info.json, prompt.txt) |
firewall | firewall-audit-logs | Network policy and firewall audit data |
mcp | firewall-audit-logs | MCP gateway traffic logs |
detection | detection | Threat detection output |
github-api | activation, agent | GitHub API rate limit logs |
# Download only firewall artifactsgh aw logs <run-id> --artifacts firewall
# Download agent and firewall artifactsgh aw logs <run-id> --artifacts agent --artifacts firewall
# Download everything (default)gh aw logs <run-id>firewall-audit-logs
Section titled “firewall-audit-logs”The firewall-audit-logs artifact is uploaded by all firewall-enabled workflows. It contains AWF (Agent Workflow Firewall) structured audit and observability logs.
! Important: This artifact is separate from the
agentartifact. Token usage data (token-usage.jsonl) lives here, not in theagentartifact.
Directory Structure
Section titled “Directory Structure”firewall-audit-logs/├── api-proxy-logs/│ └── token-usage.jsonl ← Token usage data (input/output/cache tokens per API request)├── squid-logs/│ └── access.log ← Network policy log (domain allow/deny decisions)├── audit.jsonl ← Firewall audit trail (policy matches, rule evaluations)└── policy-manifest.json ← Policy configuration snapshotAccessing Token Usage Data
Section titled “Accessing Token Usage Data”Recommended: Use gh aw logs
# Download and analyze firewall datagh aw logs <run-id> --artifacts firewall
# Output as JSON for scriptinggh aw logs <run-id> --artifacts firewall --jsonDirect download with gh run download:
# Download the firewall-audit-logs artifactgh run download <run-id> -n firewall-audit-logs
# Token usage data is at:cat firewall-audit-logs/api-proxy-logs/token-usage.jsonl
# Network access log is at:cat firewall-audit-logs/squid-logs/access.log
# Audit trail is at:cat firewall-audit-logs/audit.jsonl
# Policy manifest is at:cat firewall-audit-logs/policy-manifest.jsonCommon Mistake
Section titled “Common Mistake”Downstream workflows sometimes download agent-artifacts or agent expecting to find token-usage.jsonl. This will silently return no data — the token usage file is only in the firewall-audit-logs artifact.
# ✗ WRONG — token-usage.jsonl is NOT in the agent artifactgh run download <run-id> -n agentcat agent/token-usage.jsonl # File not found!
# ✓ CORRECT — download from firewall-audit-logsgh run download <run-id> -n firewall-audit-logscat firewall-audit-logs/api-proxy-logs/token-usage.jsonlThe unified agent artifact contains all agent job outputs.
Contents
Section titled “Contents”- Agent execution logs
- Safe output data (
agent_output.json) - GitHub API rate limit logs (
github_rate_limits.jsonl) - Token usage summary (
agent_usage.json) — aggregated totals only; per-request data is infirewall-audit-logs
activation
Section titled “activation”The activation artifact contains activation job outputs.
Contents
Section titled “Contents”aw_info.json— Engine configuration and workflow metadataprompt.txt— The generated prompt sent to the AI agentgithub_rate_limits.jsonl— Rate limit data from the activation job
detection
Section titled “detection”The detection artifact contains threat detection output.
Contents
Section titled “Contents”detection.log— Threat detection analysis results
Legacy name: threat-detection.log (still supported for backward compatibility).
Naming Compatibility
Section titled “Naming Compatibility”Artifact names changed between upload-artifact v4 and v5. The gh aw logs and gh aw audit commands handle both naming schemes transparently:
| Old Name (pre-v5) | New Name (v5+) | File Inside |
|---|---|---|
aw_info.json | aw-info | aw_info.json |
safe_output.jsonl | safe-output | safe_output.jsonl |
agent_output.json | agent-output | agent_output.json |
prompt.txt | prompt | prompt.txt |
threat-detection.log | detection | detection.log |
Single-file artifacts are automatically flattened to root level regardless of their artifact directory name. Multi-file artifacts (firewall-audit-logs, agent, activation) retain their directory structure.
Workflow Call Prefixes
Section titled “Workflow Call Prefixes”When workflows are invoked via workflow_call, GitHub Actions prepends a short hash to artifact names (e.g., abc123-firewall-audit-logs). The CLI handles this automatically by matching artifact names that end with -{base-name}.
# Both of these are recognized as the firewall artifact:# - firewall-audit-logs (direct invocation)# - abc123-firewall-audit-logs (workflow_call invocation)Related Documentation
Section titled “Related Documentation”- Audit Commands — Download and analyze workflow run artifacts
- Cost Management — Track token usage and inference spend
- Network — Firewall and domain allow/deny configuration
- Compilation Process — How workflows are compiled including artifact upload steps