chore: upload wizard artifacts to s3

.github/workflows/wizard-ci.yml

@@ -393,6 +393,9 @@ jobs:
     needs: [discover, notify-start, notify-pr-start]
     if: always() && needs.discover.result == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       max-parallel: 10
@@ -631,35 +634,33 @@ jobs:
           # PostHog tracking for eval analytics
           POSTHOG_PROJECT_TOKEN: ${{ secrets.POSTHOG_PROJECT_TOKEN }}
 
-      - name: Prepare artifact name
-        # Not used for anything rn
-        if: always()
-        id: artifact-name
-        run: |
-          # Replace slashes with dashes for valid artifact name
-          SAFE_NAME="${{ matrix.app }}"
-          SAFE_NAME="${SAFE_NAME//\//-}"
-          echo "safe_name=$SAFE_NAME" >> $GITHUB_OUTPUT
-
-      - name: Upload context-mill resources
-        # Only upload once (from the first matrix job) since the zip is identical across all jobs
-        if: always() && !env.ACT && matrix.app == needs.discover.outputs.first_app
+      - name: Configure AWS credentials
+        if: always() && !env.ACT
         continue-on-error: true
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with:
-          name: context-mill-resources-${{ github.run_id }}
-          path: context-mill-mcp-resources.zip
-          if-no-files-found: warn
+          role-to-assume: ${{ secrets.AWS_WIZARD_ARTIFACTS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_WIZARD_ARTIFACTS_REGION }}
+          mask-aws-account-id: true
+          unset-current-credentials: true
 
-      - name: Upload skills resources
-        # Only upload once (from the first matrix job) since the zip is identical across all jobs
-        if: always() && !env.ACT && matrix.app == needs.discover.outputs.first_app
+      - name: Upload artifacts to S3
+        if: always() && !env.ACT
         continue-on-error: true
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: skills-resources-${{ github.run_id }}
-          path: skills-mcp-resources.zip
-          if-no-files-found: warn
+        run: |
+          TRIGGER_ID="${{ needs.discover.outputs.trigger_id }}"
+          SAFE_APP="${{ matrix.app }}"
+          SAFE_APP="${SAFE_APP//\//-}"
+          S3_PREFIX="s3://${{ secrets.AWS_WIZARD_ARTIFACTS_BUCKET }}/${TRIGGER_ID}/${SAFE_APP}"
+
+          aws s3 cp wizard-output.log "${S3_PREFIX}/wizard-output.log" || true
+          aws s3 cp context-mill-mcp-resources.zip "${S3_PREFIX}/context-mill-mcp-resources.zip" || true
+          aws s3 cp skills-mcp-resources.zip "${S3_PREFIX}/skills-mcp-resources.zip" || true
+
+          YARA_JSON="/tmp/posthog-wizard-yara-report.json"
+          if [ -f "$YARA_JSON" ]; then
+            aws s3 cp "$YARA_JSON" "${S3_PREFIX}/yara-report.json" || true
+          fi
 
       - name: Label and close PR
         if: steps.run-wizard.outputs.pr_number