fix: use RUNNER_TEMP for upload_artifact staging directory path (#25882)

Author: Copilot

.github/workflows/api-consumption-report.md

@@ -303,17 +303,17 @@ Use `sns.set_theme(style="darkgrid")` for a professional dark-grid look and `plt
 
 **You MUST copy the chart files to the staging directory before calling `upload_artifact`.**
 
-The `upload_artifact` tool only reads files from `/tmp/gh-aw/safeoutputs/upload-artifacts/`. Run these commands first:
+The `upload_artifact` tool only reads files from `$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/`. Run these commands first:
 
 ```bash
-mkdir -p /tmp/gh-aw/safeoutputs/upload-artifacts/
-cp /tmp/gh-aw/python/charts/*.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+mkdir -p "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/"
+cp /tmp/gh-aw/python/charts/*.png "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/"
 ```
 
 Then verify the files are in the staging directory:
 
 ```bash
-ls -la /tmp/gh-aw/safeoutputs/upload-artifacts/
+ls -la "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/"
 ```
 
 After confirming the files exist in the staging directory, call `upload_artifact` for each chart using the **filename only** (not a subdirectory path). For example, use `path: "api_calls_trend.png"` — NOT `path: "charts/api_calls_trend.png"`.

.github/workflows/approach-validator.md

@@ -224,7 +224,7 @@ cat /tmp/gh-aw/approach-validator/agent4-dead-end-detector.md
 Write the full compiled report to a file for artifact upload (using the run ID for uniqueness):
 
 ```bash
-cat > /tmp/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md << 'REPORT_EOF'
+cat > $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/approach-validation-report-${{ github.run_id }}.md << 'REPORT_EOF'
 [Full compiled report — see structure below]
 REPORT_EOF
 ```

.github/workflows/audit-workflows.md

@@ -51,7 +51,7 @@ Generate 2 charts from past 30 days workflow data:
 2. **Token & Cost**: Daily tokens (bar/area) + cost line + 7-day moving average
 
 Save to: `/tmp/gh-aw/python/charts/{workflow_health,token_cost}_trends.png`
-Upload charts, embed in discussion with 2-3 sentence analysis each. Stage chart files to `/tmp/gh-aw/safeoutputs/upload-artifacts/` and call the `upload_artifact` safe-output tool for each chart. Record the returned `aw_*` IDs and include them in the discussion body along with a link to the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) so readers can download the charts.
+Upload charts, embed in discussion with 2-3 sentence analysis each. Stage chart files to `$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/` and call the `upload_artifact` safe-output tool for each chart. Record the returned `aw_*` IDs and include them in the discussion body along with a link to the [workflow run artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) so readers can download the charts.
 
 ---
 

.github/workflows/daily-firewall-report.md

@@ -106,8 +106,8 @@ Generate exactly **2 high-quality trend charts**:
 
 1. Stage both charts into the upload directory:
    ```bash
-   cp /tmp/gh-aw/python/charts/firewall_trends.png /tmp/gh-aw/safeoutputs/upload-artifacts/
-   cp /tmp/gh-aw/python/charts/blocked_domains.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/firewall_trends.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/blocked_domains.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
    ```
 2. Call the `upload_artifact` safe-output tool for each chart
 3. Record the returned `aw_*` IDs

.github/workflows/daily-performance-summary.md

@@ -368,9 +368,9 @@ print("Velocity metrics chart saved!")
 Stage and upload all three charts as artifacts with 30-day retention:
 1. Copy charts to the upload staging directory:
    ```bash
-   cp /tmp/gh-aw/python/charts/activity_overview.png /tmp/gh-aw/safeoutputs/upload-artifacts/
-   cp /tmp/gh-aw/python/charts/resolution_metrics.png /tmp/gh-aw/safeoutputs/upload-artifacts/
-   cp /tmp/gh-aw/python/charts/velocity_metrics.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/activity_overview.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/resolution_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
+   cp /tmp/gh-aw/python/charts/velocity_metrics.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
    ```
 2. Call the `upload_artifact` safe-output tool for each chart
 3. Record the returned `aw_*` IDs for each chart

.github/workflows/docs-noob-tester.md

@@ -173,8 +173,8 @@ For each confusing or broken area:
 - Note the page URL and specific section
 - Stage and upload the screenshot:
   ```bash
-  mkdir -p /tmp/gh-aw/safeoutputs/upload-artifacts
-  cp /tmp/gh-aw/screenshots/<filename>.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+  mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts
+  cp /tmp/gh-aw/screenshots/<filename>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
   ```
   Then call the `upload_artifact` safe-output tool with `path: "<filename>.png"`.
   Record the returned `aw_*` ID.

.github/workflows/shared/safe-output-upload-artifact.md

@@ -14,7 +14,7 @@ upload files as run-scoped GitHub Actions artifacts.
 
 ## How it works
 
-The agent stages files to `/tmp/gh-aw/safeoutputs/upload-artifacts/` and calls the
+The agent stages files to `$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/` and calls the
 `upload_artifact` tool. The `safe_outputs` job picks up the staged files and uploads them
 directly via the `@actions/artifact` REST API (no `actions: write` permission needed —
 authentication uses `ACTIONS_RUNTIME_TOKEN` which is always available to the runner).
@@ -35,7 +35,7 @@ The agent must stage files before calling the tool:
 
 ```bash
 # Stage files to the upload-artifacts directory
-cp dist/report.json /tmp/gh-aw/safeoutputs/upload-artifacts/report.json
+cp dist/report.json "$RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/report.json"
 ```
 
 Then call the tool:

.github/workflows/smoke-copilot.md

@@ -144,7 +144,7 @@ strict: false
    - Extract the discussion number from the result (e.g., if the result is `{"number": 123, "title": "...", ...}`, extract 123)
    - Use the `add_comment` tool with `discussion_number: <extracted_number>` to add a fun, playful comment stating that the smoke test agent was here
 9. **Build gh-aw**: Run `GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build` to verify the agent can successfully build the gh-aw project (both caches must be set to /tmp because the default cache locations are not writable). If the command fails, mark this test as ❌ and report the failure.
-10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p /tmp/gh-aw/safeoutputs/upload-artifacts && cp ./gh-aw /tmp/gh-aw/safeoutputs/upload-artifacts/gh-aw`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed.
+10. **Upload gh-aw binary as artifact**: After a successful build, use bash to copy the `./gh-aw` binary into the staging directory (`mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts && cp ./gh-aw $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/gh-aw`), then call the `upload_artifact` safe-output tool with `path: "gh-aw"`. The `upload_artifact` tool is available and configured in this workflow run — use it directly, do NOT use `missing_tool` for it. Mark this test as ❌ if the build in step 9 failed.
 11. **Discussion Creation Testing**: Use the `create_discussion` safe-output tool to create a discussion in the announcements category titled "copilot was here" with the label "ai-generated"
 12. **Workflow Dispatch Testing**: Use the `dispatch_workflow` safe output tool to trigger the `haiku-printer` workflow with a haiku as the message input. Create an original, creative haiku about software testing or automation.
 13. **PR Review Testing**: Review the diff of the current pull request. Leave 1-2 inline `create_pull_request_review_comment` comments on specific lines, then call `submit_pull_request_review` with a brief body summarizing your review and event `COMMENT`. To test `reply_to_pull_request_review_comment`: use the `pull_request_read` tool (with `method: "get_review_comments"` and `pullNumber: ${{ github.event.pull_request.number }}`) to fetch the PR's existing review comments, then reply to the most recent one using `reply_to_pull_request_review_comment` with its actual numeric `id` as the `comment_id`. Note: `create_pull_request_review_comment` does not return a `comment_id` — you must fetch existing comment IDs from the GitHub API. If the PR has no existing review comments, skip the reply sub-test.

.github/workflows/unbloat-docs.md

@@ -318,8 +318,8 @@ ls -lh /tmp/gh-aw/mcp-logs/playwright/
 
 1. Stage each screenshot file to the artifact upload directory:
    ```bash
-   mkdir -p /tmp/gh-aw/safeoutputs/upload-artifacts
-   cp /tmp/gh-aw/mcp-logs/playwright/<screenshot>.png /tmp/gh-aw/safeoutputs/upload-artifacts/
+   mkdir -p $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts
+   cp /tmp/gh-aw/mcp-logs/playwright/<screenshot>.png $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/
    ```
 2. Call the `upload_artifact` safe-output tool for each file
 3. Record the returned `aw_*` ID for each screenshot to include in the PR description

actions/setup/js/safe_outputs_tools.json

@@ -851,13 +851,13 @@
   },
   {
     "name": "upload_artifact",
-    "description": "Upload files as a run-scoped GitHub Actions artifact. Files can be pre-staged in /tmp/gh-aw/safeoutputs/upload-artifacts/ or referenced by their original path — files not already in the staging directory are automatically copied there before upload. Absolute paths and paths relative to the workspace are supported. Returns a temporary artifact ID (aw_*) that can be resolved to a download URL by an authorised step. Retention and archive settings are fixed by workflow configuration. Exactly one of path or filters must be present.",
+    "description": "Upload files as a run-scoped GitHub Actions artifact. Files can be pre-staged in $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/ or referenced by their original path — files not already in the staging directory are automatically copied there before upload. Absolute paths and paths relative to the workspace are supported. Returns a temporary artifact ID (aw_*) that can be resolved to a download URL by an authorised step. Retention and archive settings are fixed by workflow configuration. Exactly one of path or filters must be present.",
     "inputSchema": {
       "type": "object",
       "properties": {
         "path": {
           "type": "string",
-          "description": "Path to the file or directory to upload. Can be relative to /tmp/gh-aw/safeoutputs/upload-artifacts/, an absolute path, or a path relative to the workspace. Files not already in the staging directory are automatically copied there. Required unless filters is provided."
+          "description": "Path to the file or directory to upload. Can be relative to $RUNNER_TEMP/gh-aw/safeoutputs/upload-artifacts/, an absolute path, or a path relative to the workspace. Files not already in the staging directory are automatically copied there. Required unless filters is provided."
         },
         "filters": {
           "type": "object",