upload-asset safe output doesn't work for private repos

[chrizbo]

Problem

The upload-asset safe output pushes image files to an orphan branch (e.g., assets/Weekly-Team-Report) and returns raw.githubusercontent.com URLs. These URLs return 404 for private repositories because raw.githubusercontent.com requires authentication for private repo content.

When these URLs are embedded in GitHub Discussions (or Issues), GitHub's markdown renderer does not proxy them — the images appear broken.

Current Behavior

1. Agent generates chart images and calls upload_asset tool
2. Safe output handler pushes PNGs to orphan branch assets/<workflow-name>
3. Returns URL: https://raw.githubusercontent.com/<owner>/<repo>/assets/<workflow-name>/<hash>.png
4. URL works for public repos ✅
5. URL returns 404 for private repos ❌
6. Images embedded in Discussions/Issues show as broken ❌

Expected Behavior

upload-asset should return URLs that work for authenticated GitHub users viewing Discussions/Issues in private repos.

Reproduction

1. Create a workflow with upload-asset safe output in a private repo
2. Generate and upload an image
3. Embed the returned URL in a create-discussion safe output
4. View the discussion — images are broken (404)

Suggested Fix

Use GitHub's image upload/attachment service (the same one used by drag-and-drop image uploads in Issues/Discussions) instead of pushing to an orphan branch. This produces user-attachments URLs that work for any authenticated user with repo access, regardless of repo visibility.

Alternatively, use the GitHub API to create blob URLs (/repos/{owner}/{repo}/git/blobs) which can be accessed by authenticated users.

Workaround

For now, skip upload_asset and save charts as workflow artifacts (data-charts artifact) that users can download from the Actions tab.

[pelikhan]

@chrizbo try again plz

[pelikhan]

Should be fixed.