fix(gemini): move error files into /tmp/gh-aw/ before artifact bundling

[Copilot]

actions/upload-artifact computes the least-common-ancestor (LCA) of all upload paths to determine artifact-internal prefixes. The Gemini engine declared /tmp/gemini-client-error-*.json, pulling the LCA up to /tmp/ instead of /tmp/gh-aw/. This caused all artifact files to be stored with a gh-aw/ prefix, so safe_outputs extracted agent_output.json to /tmp/gh-aw/gh-aw/agent_output.json instead of the expected /tmp/gh-aw/agent_output.json, resulting in 0 safe outputs processed.

Changes

• New interface method GetPreBundleSteps() on WorkflowExecutor — runs steps before secret redaction and the unified artifact upload; no-op default in BaseEngine
• GeminiEngine.GetPreBundleSteps() emits a step that relocates Gemini CLI error reports before bundling:

  - name: Move Gemini error files to artifact directory
    if: always()
    run: mv /tmp/gemini-client-error-*.json /tmp/gh-aw/ 2>/dev/null || true

• GeminiEngine.GetDeclaredOutputFiles() updated to /tmp/gh-aw/gemini-client-error-*.json so the artifact LCA stays at /tmp/gh-aw/
• Compiler calls GetPreBundleSteps() before secret redaction so relocated files are scanned
• Updated step_order_validation.go comment and all affected tests; recompiled all 173 lock files

[Copilot]

Pull request overview

Adjusts how Gemini CLI diagnostic error reports are collected so they live under /tmp/gh-aw/, keeping unified artifact uploads under a single common ancestor (avoiding actions/upload-artifact least-common-ancestor path issues) and ensuring secret redaction coverage.

Changes:

• Relocates Gemini error report artifacts to /tmp/gh-aw/ and adds a pre-bundle step to move files from /tmp/ before redaction/upload.
• Extends the engine interface with GetPreBundleSteps and injects these steps into the main job prior to secret redaction.
• Updates tests and the locked smoke workflow to reflect the new artifact paths and behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/step_order_validation.go	Updates rationale around allowing certain wildcard /tmp/ paths, noting Gemini now relocates into /tmp/gh-aw/.
pkg/workflow/gemini_engine.go	Declares Gemini error reports under /tmp/gh-aw/ and adds a pre-bundle mv step to relocate reports from /tmp/.
pkg/workflow/gemini_engine_test.go	Adds/updates unit tests for declared output path and pre-bundle step content.
pkg/workflow/compiler_yaml_main_job.go	Injects engine GetPreBundleSteps before secret redaction in the generated main job steps.
pkg/workflow/agentic_output_test.go	Updates workflow/output assertions to require /tmp/gh-aw/... and ensure /tmp/... isn’t used for artifact paths.
pkg/workflow/agentic_engine.go	Adds GetPreBundleSteps to WorkflowExecutor and provides a default no-op implementation on BaseEngine.
.github/workflows/smoke-gemini.lock.yml	Reflects the new “move files” step and updates artifact upload paths to /tmp/gh-aw/....

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.