fix: generate correct URLs for assets in private repos

Copilot · dsyme · Copilot · commit 3190c7104131 · 2026-03-18T19:57:14.000Z
Use `https://github.com/{repo}/blob/{branch}/{filename}?raw=true` format instead of `https://raw.githubusercontent.com/{repo}/{branch}/{filename}` for github.com asset uploads. The blob URL with `?raw=true` works for both public and private repos, while the raw.githubusercontent.com URL only works for public repos. Fixes #<issue> Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com>
diff --git a/actions/setup/js/safe_outputs_handlers.cjs b/actions/setup/js/safe_outputs_handlers.cjs
@@ -166,7 +166,7 @@ function createHandlers(server, appendSafeOutput, config = {}) {
     try {
       const serverHostname = new URL(githubServer).hostname;
       if (serverHostname === "github.com") {
-        url = `https://raw.githubusercontent.com/${repo}/${normalizedBranchName}/${targetFileName}`;
+        url = `https://github.com/${repo}/blob/${normalizedBranchName}/${targetFileName}?raw=true`;
       } else {
         // GitHub Enterprise Server - raw content is served from the same host with /raw/ path
         url = `${githubServer}/${repo}/raw/${normalizedBranchName}/${targetFileName}`;
diff --git a/actions/setup/js/safe_outputs_handlers.test.cjs b/actions/setup/js/safe_outputs_handlers.test.cjs
@@ -138,7 +138,7 @@ describe("safe_outputs_handlers", () => {
   });
 
   describe("uploadAssetHandler", () => {
-    it("should generate raw.githubusercontent.com URL for github.com", () => {
+    it("should generate blob URL with raw=true for github.com", () => {
       process.env.GH_AW_ASSETS_BRANCH = "test-branch";
       process.env.GITHUB_SERVER_URL = "https://github.com";
       process.env.GITHUB_REPOSITORY = "myorg/myrepo";
@@ -149,8 +149,9 @@ describe("safe_outputs_handlers", () => {
       handlers.uploadAssetHandler({ path: testFile });
 
       const entry = mockAppendSafeOutput.mock.calls[0][0];
-      expect(entry.url).toContain("raw.githubusercontent.com");
-      expect(entry.url).toContain("myorg/myrepo");
+      expect(entry.url).toContain("github.com/myorg/myrepo/blob/test-branch");
+      expect(entry.url).toContain("?raw=true");
+      expect(entry.url).not.toContain("raw.githubusercontent.com");
     });
 
     it("should generate enterprise URL for GitHub Enterprise Server", () => {
diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md
@@ -884,7 +884,7 @@ Agent output format: `{"type": "update_release", "tag": "v1.0.0", "operation": "
 
 ### Asset Uploads (`upload-asset:`)
 
-Uploads files (screenshots, charts, reports) to orphaned git branch with predictable URLs: `https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{filename}`. Agent registers files via `upload_asset` tool; separate job with `contents: write` commits them.
+Uploads files (screenshots, charts, reports) to orphaned git branch with predictable URLs: `https://github.com/{owner}/{repo}/blob/{branch}/{filename}?raw=true`. Agent registers files via `upload_asset` tool; separate job with `contents: write` commits them.
 
 ```yaml wrap
 safe-outputs:
